Use the kubeApiServerConfig clientCAFile field #10707
Conversation
|
Welcome @slu2011! |
|
Hi @slu2011. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
k8s-ci-robot
added
cncf-cla: yes
|
/ok-to-test Thanks @slu2011! do you mind explaining your use-case for setting this field? |
k8s-ci-robot
added
ok-to-test
|
/test pull-kops-e2e-kubernetes-aws |
|
/test pull-kops-e2e-k8s-containerd |
Thanks a lot @rifelpet. Our usecase is that we need to have each human admin to have short-lived client cert to access the cluster.. The admin client cert are generated separately using another CA (ca_admin). Thus we would like to have a separate client CA file for the apiserver, which contains both the K8s CA and the ca_admin. We cannot put multiple certs in ca.crt as ca.crt must contain one cert. There are also older issues regarding this: #3243 |
nodeup/pkg/model/kube_apiserver.go
Outdated
| @@ -298,6 +298,9 @@ func (b *KubeAPIServerBuilder) buildPod() (*v1.Pod, error) { | |||
| } | |||
|
|
|||
| kubeAPIServer.ClientCAFile = filepath.Join(b.PathSrvKubernetes(), "ca.crt") | |||
| if b.Cluster.Spec.KubeAPIServer.ClientCAFile != "" { | |||
There was a problem hiding this comment.
We have kubeAPIServer := b.Cluster.Spec.KubeAPIServer above, and then you set kubeAPIServer.ClientCAFile = b.Cluster.Spec.KubeAPIServer.ClientCAFile
Is this rather redundant or am I missing something?
There was a problem hiding this comment.
Thanks for your comment @olemarkus.
Before the change, line 300 would overwrite kubeAPIServer.ClientCAFile to filepath.Join(b.PathSrvKubernetes(), "ca.crt") regardless.
I did not realize we have kubeAPIServer := b.Cluster.Spec.KubeAPIServer above. A better change might be overwrite the kubeAPIServer.ClientCAFile to filepath.Join(b.PathSrvKubernetes(), "ca.crt") only when b.Cluster.Spec.KubeAPIServer.ClientCAFile is empty string (default)? Updated the change.
|
Can you add some docs on how to use this as well? I assume you want to populate the actual file using |
Would that be OK if add a section in In our usecase, we would like the client-ca file to contain two certs (K8s ca.crt and our own admin_ca.crt). We embed the admin_ca.crt in the AMI and use kops hooks to create the combined file. |
k8s-ci-robot
removed
the
size/S
k8s-ci-robot
added
the
size/M
|
Thanks for adding the docs. Can you mention that the file must include the cluster ca? Alternatively I wonder if you can always append the cluster CA. If people do this manually, it will break the cluster CA rotation functionality I am working on. |
Thanks for the info regarding CA rotation. Yes we currently do append the ca.crt in the end of client-ca.crt. The append work is done using a kops-hook. In my opinion, using a Kops hook to do the append is at least an OK solution (since the additional CA is provided by the user, the work to configure it should also be handled by the user -- in this case via a kops hook). Also, from the user's point of view, using a kops-hook has the best flexibility that they can put any logic in it. Using kops hook can also cover the case that the CA is rotated -- the hook can be set to run continuously, and it also compared the content of the ca.crt and the appended ca.crt copy. If diff is found, it can append the updated ca.crt. Moreover, I think overriding the client-ca file also means that the user need to be responsible to manage the client-ca file, which includes making sure that the rotated ca.crt should be appended, as well as that the user provided CA is also rotated correctly. Do you think this is a OK solution? If so I will update the doc to cover the above append and update ca.crt logic, and the recommended way to setup the kops hook. |
|
Yes, I think it is sufficient to add that for now |
docs/cluster_spec.md
Outdated
|
|
||
| In the case that the user would use a customized client-ca file, it is common that the kubernetes CA (`/srv/kubernetes/ca/crt`) need to be appended to the end of the client-ca file. One way to append the ca.crt to the end of the customized client-ca file is to write an [kop-hook](https://github.com/kubernetes/kops/blob/master/docs/cluster_spec.md#hooks) to do the append logic. | ||
|
|
||
| Kops also has CA rotation feature, which would refresh the kubernetes cert files, including the ca.crt. If a customized client-ca file is used, when kops cert rotation happens, the user is responsible to update the ca.crt in the customized client-ca file. The refresh ca.crt logic can also be achieved by writing a kops hook. |
There was a problem hiding this comment.
Nit: it will have :) It is still a PR. But you could just refer to https://kops.sigs.k8s.io/rotate-secrets/
|
Thanks. The docs could have used relative links. But not important. Can clean this up later. /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus, slu2011 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest Review the full test history for this PR. Silence the bot with an |
|
@olemarkus many thanks for your help!! On the other hand, what is the procedure I should follow to cherry-pick this change to release 1.19? |
Hello!
We have a usecase that would need to be able to specify a different client-CA file for the kube-apiserver. Also, it seems that there were prior discussion about this requirement too(#3243), although it was closed for inactivity.
This change just enables the ClientCAFile field of the KubeAPIServerConfig struct, So that the user can specify the ClientCAFile and the apiserver config yaml would reflect it.
Thanks a lot!