Setup heptio authenticator #5197
Conversation
k8s-ci-robot
added
size/L
|
/assign @justinsb @chrislovecnm @rifelpet @rifelpet adding you since you created the kops docs in the heptio authenticator repo. |
| @@ -157,6 +157,103 @@ func (b *KubeAPIServerBuilder) writeAuthenticationConfig(c *fi.ModelBuilderConte | |||
| return nil | |||
| } | |||
|
|
|||
| if b.Cluster.Spec.Authentication.Heptio != nil { | |||
There was a problem hiding this comment.
Perhaps left to another PR, but should consider merging the kopeio and this together given both is essentially just a web hook with a url diff ..
There was a problem hiding this comment.
Will create another PR to merge / cleanup.
|
|
||
| c.AddTask(&nodetasks.File{ | ||
| Path: "/srv/kubernetes/heptio-authenticator-aws/key.pem", | ||
| Contents: fi.NewBytesResource(keyData), |
There was a problem hiding this comment.
Can you add file perms to 0600 please Mode: fi.String("600") .. as the default is world readable
There was a problem hiding this comment.
These are the perms that I think are still missing @rdrgmnzs
There was a problem hiding this comment.
I don't think you added it to this task (key.pem( - I do see it for the other two file tasks though.
|
|
||
| ``` | ||
| --- | ||
| apiVersion: v1 |
There was a problem hiding this comment.
What happen's if the config isn't there? .. does it's just crashloop the pods? ... Just wondering in case it effects rollouts .. i'm pretty sure the validate cluster code looks for pod restarts in kube-system ..
There was a problem hiding this comment.
The pod will sit in a creating status. I have not tired doing a rollout while it's in this state, but will do so.
There was a problem hiding this comment.
Ar yes! .. it would be stuck in pending .. Still if you can quickly verify / confirm it handles on a pre-built cluster and can rollout, that would be cool
There was a problem hiding this comment.
The pod stays in state:
kube-system heptio-authenticator-aws-4fkzp 0/1 ContainerCreating 0 10m
with the error:
Unable to mount volumes for pod "heptio-authenticator-aws-4fkzp_kube-system(93f46fcb-654e-11e8-a014-0e21d0512306)": timeout expired waiting for volumes to attach or mount for pod "kube-system"/"heptio-authenticator-aws-4fkzp". list of unmounted volumes=[config]. list of unattached volumes=[config output state default-token-6rtmz]
However I'm still able to perform a full cluster rolling update while the cluster is in this state so we should be ok.
|
hi @rdrgmnzs .. were you able to check a rollout on a existing cluster? ... also, can we add the filemode on the key ... other than those its LGTM |
|
Hey @gambol99 I won’t be able to test and make changes until Monday unfortunately. I’m out on vacation and don’t have my laptop with me. |
|
@gambol99 updated the perms and tested. (Jet lagged and borrowed a PC ) |
|
Generally LGTM. The file perms that @gambol99 pointed out seems to be the only thing missing. Because it's additive and opt-in, I'm happy to merge even if it's still in flux.. |
|
I added the file perms on diff f047677 and github says they have been pulled in to this PR but for some reason they are not showing up in the "files changed". |
|
/approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gambol99, rdrgmnzs The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
fwiw this LGTM too. Thanks for adding this! We'll be able to simplify the instructions on the Authenticator readme and even the AWS blog post if that's allowed. cc @christopherhein |
|
Nice work @rdrgmnzs ! thanks for invalidating the blog post 👍Happy to have this merged in. |
|
@rdrgmnzs FYI It appears they're renaming the authenticator as they bring it into the kubernetes-sigs org. Given that this hasnt been in a stable release yet do you think we should update this to match? |
This automates most of the process of setting up heptio authenticator using Kops.
https://github.com/heptio/authenticator