-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add certificate-key to kubeadm upload-certs phase, and improve init output #74671
Conversation
/remote-priority important-longterm |
/remove-priority important-longterm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @yagonobre !
i've added a coupe of comments.
@fabriziopandini should we add a release note here as well? i'm sort of +1 as the PR is extending the upload certs feature that has a separate release note. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yagonobre thanks for the PR!
Everything seems ok, pending some refinements to the final init message. I'm looping in more people to gather feedback
/approve
cmd/kubeadm/app/cmd/util/join.go
Outdated
@@ -30,12 +30,16 @@ import ( | |||
) | |||
|
|||
var joinCommandTemplate = template.Must(template.New("join").Parse(`` + | |||
`kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`, | |||
`{{if .UploadCerts}}To join a node: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's the tricky part of this PR.
These are the case that should be managed IMO
- without controlPlaneEndpoint --> you can only join worker nodes
- with controlPlaneEndpoint --> you can join both control-plane and worker nodes
- without certificate key -> you have to copy certs manually
- with certificate key -> you can copy certs manually or download certs
A proposal for converting all the above cases into a short and concise command output:
- only join worker nodes
You can now join any number of worker nodes by running the following on each as root:
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
- i. both control-plane (with manual copy) and worker nodes
You can now join any number of control-plane node by copying the required certificate authorities on each node and then running the following as root:
To join a control-plane node you should copy required certificates to the node and then run the following command as a root:
kubeadm join <master-ip>:<master-port> --experimental-control-plane --token <token> --discovery-token-ca-cert-hash sha256:<hash>
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
- ii. both control-plane (with automatic/manual) and worker nodes
To join a control-plane node run the following command on each as a root:
kubeadm join <master-ip>:<master-port> --experimental-control-plane --certificate-key <key> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
Please note that the certificate-key gives access to cluster sensitive data, keep it secret!
As a safeguard, uploaded-certs will be deleted in two hours; If necessary, you can use `kubeadm init phase upload-certs` to reload certs afterward.
Then you can join any number of worker nodes by running the following on each as root:
kubeadm join <master-ip>:<master-port> --token <token> --discovery-token-ca-cert-hash sha256:<hash>
Possible further improvements:
- detail required certificates in case 2.i
- break join commands on multiple lines using \ and move the common (
--token <token> ...
) part on a second line
@timothysc @neolit123 @rosti opinions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fabriziopandini I like your ideas. We can extend the security warning to cover tokens too.
@yagonobre I have a particular distaste for having flow control structures (like if
statements) in templates. Please, avoid their use. I am OK with for loops though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the new messages SGTM. i forgot that we now have to handle them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2.i looks weird repeating the two first sentences in different ways, apart from that messages look fine and clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rosti what do you recommend to avoid ifs on this template?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yagonobre I may be misunderstanding your question. Correct me if I am wrong.
You can use different templates for the different use cases in the above example.
Something along the lines of:
var templateToUse *template.Template
if uploadCerts {
templateToUse = uploadCertsJoinTemplate
} else {
templateToUse = controlPlaneJoinTemplate
}
...
err = templateToUse.Execute(&out, ctx)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, but I'll need to duplicate some text, I'm not sure if it;s better than have a if in the template.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @yagonobre !
cmd/kubeadm/app/cmd/util/join.go
Outdated
@@ -30,12 +30,16 @@ import ( | |||
) | |||
|
|||
var joinCommandTemplate = template.Must(template.New("join").Parse(`` + | |||
`kubeadm join {{.ControlPlaneHostPort}} --token {{.Token}}{{range $h := .CAPubKeyPins}} --discovery-token-ca-cert-hash {{$h}}{{end}}{{if .UploadCerts}} --certificate-key {{.CertificateKey}}{{end}}`, | |||
`{{if .UploadCerts}}To join a node: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fabriziopandini I like your ideas. We can extend the security warning to cover tokens too.
@yagonobre I have a particular distaste for having flow control structures (like if
statements) in templates. Please, avoid their use. I am OK with for loops though.
@@ -81,6 +85,9 @@ func GetJoinCommand(kubeConfigFile, token, key string, skipTokenPrint, uploadCer | |||
if skipTokenPrint { | |||
ctx["Token"] = template.HTML("<value withheld>") | |||
} | |||
if skipCertificateKeyPrint { | |||
ctx["CertificateKey"] = template.HTML("<value withheld>") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oddly enough, we use html/template
here. This might cause problems when we try to feed a template with non-alphanumeric characters (<
is turned into <
, etc.).
But anyway, this again is out of the scope of this PR.
@yagonobre please let me know if you don't have the time for this. |
b163184
to
205efc0
Compare
205efc0
to
b193685
Compare
@neolit123 should I add a release note? |
@yagonobre |
@yagonobre this looks great! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, yagonobre The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
given feature freeze is soon -> merge this now, send bug fixes later if needed.
tide is currently borked, so let's see if this will merge.. |
We need to draw a cut-line on anything non-bug related. |
/test pull-kubernetes-e2e-gce |
What type of PR is this?
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes kubernetes/kubeadm#1408
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
/priority important-longterm
@kubernetes/sig-cluster-lifecycle-pr-reviews