-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use controller to publish cluster authentication info #82705
Conversation
d5dc23d
to
2732342
Compare
2732342
to
091e29e
Compare
/retest |
091e29e
to
5139dd8
Compare
cmd/kube-apiserver/app/server.go
Outdated
} | ||
if requestHeaderConfig, err := s.Authentication.RequestHeader.ToAuthenticationRequestHeaderConfig(); err != nil { | ||
return nil, nil, nil, nil, err | ||
} else if requestHeaderConfig != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
drop else
RequestHeaderCA dynamiccertificates.CAContentProvider | ||
} | ||
|
||
// NewClusterAuthenticationTrustController returns a controller that will maintain the `kubectl get -n kube-system configmap/extension-apiserver-authentication` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this kubectl wording makes me stumble upon on every read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
... that will keep the configmap kube-system/.... up to date ...
klog.V(4).Info("no changes to configmap") | ||
return nil | ||
} | ||
klog.V(2).Infof("writing updated authentication info to `kubectl get -n %s configmaps/%s", configMapNamespace, configMapName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
another occurence of this strange kubectl wording.
} | ||
|
||
if equality.Semantic.DeepEqual(authConfigMap, originalAuthConfigMap) { | ||
klog.V(4).Info("no changes to configmap") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Increase verbosity for doing nothing.
return nil | ||
} | ||
klog.V(2).Infof("writing updated authentication info to `kubectl get -n %s configmaps/%s", configMapNamespace, configMapName) | ||
klog.V(4).Infof("%v", spew.Sdump(authConfigMap.Data)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That a lot of output for V(4)
} | ||
} | ||
|
||
if authenticationInfo.RequestHeaderCA != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return early
return headerrequest.StaticStringSlice(out), nil | ||
} | ||
|
||
func combineStringSlices(lhs, rhs headerrequest.StringSliceProvider) headerrequest.StringSliceProvider { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually combineUniqueStringSlices
certificates = filterExpiredCerts(certificates...) | ||
|
||
finalCertificates := []*x509.Certificate{} | ||
// now check for duplicates. n^2, but super simple |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one of lhs or rhs is small => n^2 is fine
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't there some unique property in the CA you can use instead?
How big can n get? Another cert per rotation? Rotation is each 30 days => 12 per year. So probably not so big.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't there some unique property in the CA you can use instead?
How big can n get? Another cert per rotation? Rotation is each 30 days => 12 per year. So probably not so big.
You're looking at order of 10 infrequently checked. I think this is fine until you see it in a profile.
pkg/master/master.go
Outdated
|
||
"k8s.io/client-go/kubernetes" | ||
|
||
"k8s.io/kubernetes/pkg/master/controller/clusterauthenticationtrust" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
order
cfssl gencert -initca root-1.csr.json | cfssljson -bare root | ||
cfssl gencert -initca root-2.csr.json | cfssljson -bare root | ||
cfssl gencert -initca root-3.csr.json | cfssljson -bare root | ||
cfssl gencert -initca root-4.csr.json | cfssljson -bare root |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure this is relevant: do they pass the fips tests?
|
||
"k8s.io/apimachinery/pkg/util/wait" | ||
|
||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
order
fc4ef2d
to
46f10e5
Compare
46f10e5
to
7ab462b
Compare
/retest |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
3 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
fixes #82429
/kind bug
/priority important-soon