kubeadm: Add support for using an external CA whose key is never stored in the cluster #50832
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @nckturner. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-github-robot
added
size/L
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
cmd/kubeadm/app/cmd/init.go
Outdated
| } | ||
|
|
||
| } else { | ||
| fmt.Printf("[externalca] No ca.key detected, assuming external CA. Skipping certs and kubeconfig.\n") |
There was a problem hiding this comment.
nit: fmt.Println
nit: No ca.key detected, but all other files generated from it are available, so using external CA mode. Won't generate certs nor kubeconfig files (or something like that)
| "use-service-account-credentials": "true", | ||
| "controllers": "*,bootstrapsigner,tokencleaner", | ||
| } | ||
|
|
||
| // If using external CA, pass empty string to controller manager instead of ca.key path, so that the csrsigning controller fails to start | ||
| if certphase.UsingExternalCA(cfg) { | ||
| defaultArguments["cluster-signing-key-file"] = "" |
There was a problem hiding this comment.
for clarity; I'd always set cluster-signing-key-file and cluster-signing-cert-file in defaultArguments
and in this special case; unset both (although one only is technically needed, it's safest to reset both of them
There was a problem hiding this comment.
Makes sense, fixed.
| return false | ||
| } | ||
|
|
||
| if !ValidatePrivateKey(cfg.CertificatesDir, kubeadmconstants.ServiceAccountKeyBaseName, "service account") { |
There was a problem hiding this comment.
What about sa.pub? can we make a case for that one as well?
There was a problem hiding this comment.
I added a case to superficially check for its existence, tell me what you think.
| return true | ||
| } | ||
|
|
||
| func ValidateCACert(pkiDir string, baseName string, UXName string) bool { |
There was a problem hiding this comment.
Please add a comment for all these
| return true | ||
| } | ||
|
|
||
| func ValidateCACertAndKey(pkiDir string, baseName string, UXName string) bool { |
There was a problem hiding this comment.
And unit test all these new funcs you are creating.
There was a problem hiding this comment.
Done, though tell me if I should refactor them into table driven tests.
There was a problem hiding this comment.
Table driven tests are common practice, please write such ones.
Nearly all unit tests in cmd/kubeadm are table driven
|
From the verify job: Please fix. |
luxas
changed the title
luxas
added
release-note
|
This definitely deserves a release note 😄 |
| return true | ||
| } | ||
|
|
||
| func ValidateSignedCert(pkiDir string, CABaseName string, baseName string, UXName string) bool { |
There was a problem hiding this comment.
don't start go local variables with capitals. caBaseName...
|
:+1 |
| return false | ||
| } | ||
|
|
||
| if !ValidateSignedCert(cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, kubeadmconstants.APIServerCertAndKeyBaseName, "API server") { |
There was a problem hiding this comment.
make this table driven. https://play.golang.org/p/UJY4McemtD
There was a problem hiding this comment.
Can you explain what you are suggesting a little more? Do you mean this entire function?
| // Check CA Cert | ||
| caCert, err := pkiutil.TryLoadCertFromDisk(pkiDir, baseName) | ||
| if err != nil { | ||
| fmt.Printf("failure loading certificate for %s: %v", UXName, err) |
There was a problem hiding this comment.
raw prints without linebreaks are going to look pretty funky in the output.
cmd/kubeadm/app/cmd/init.go
Outdated
| if err := cmdphases.CreatePKIAssets(i.cfg); err != nil { | ||
| return err | ||
| } | ||
| if !certphase.UsingExternalCA(i.cfg) { |
There was a problem hiding this comment.
According to the issue, it is expected to have also required kubeconfig files on disk. Is kubeadm going to test this precondition?
There was a problem hiding this comment.
Yes, that should also be checked, good catch
k8s-github-robot
added
the
needs-rebase
k8s-github-robot
added
needs-rebase
k8s-github-robot
removed
the
needs-rebase
cmd/kubeadm/app/cmd/init.go
Outdated
| return err | ||
| } | ||
| if res, err := certsphase.UsingExternalCA(i.cfg); !res { | ||
| fmt.Printf("[externalca] Not using external CA mode: %v\n", err) |
There was a problem hiding this comment.
I don't think we should print anything here, this is the "normal" state anyway...
There was a problem hiding this comment.
Removed the print, if someone wants to see why external CA mode is not active they would have to add print statements to this step. (a logger with verbosity levels would be nice but it seems to be not used in kubeadm)
cmd/kubeadm/app/cmd/init.go
Outdated
| if err := certsphase.CreatePKIAssets(i.cfg); err != nil { | ||
| return err | ||
| } | ||
| if res, err := certsphase.UsingExternalCA(i.cfg); !res { |
There was a problem hiding this comment.
I'd say its not an error at this step, so I changed it to be a string representing the reason that we are not in "Using External CA".
| } | ||
|
|
||
| var p *rsa.PublicKey | ||
| p = pubKeys[0].(*rsa.PublicKey) |
|
|
||
| var key *rsa.PrivateKey | ||
| // Allow RSA format only | ||
| if k, ok := privKey.(*rsa.PrivateKey); ok { |
There was a problem hiding this comment.
nit on style, this can be moved out of the if clause and you can check for !ok, return in that case, otherwise just use := afterwards.
Generally I'm trying to minimize the amount of indentation in funcs and avoid if/else when possible. This is still a nit though ;)
| func UsingExternalCA(cfg *kubeadmapi.MasterConfiguration) (bool, string) { | ||
|
|
||
| if err := validateCACert(certKeyLocation{cfg.CertificatesDir, kubeadmconstants.CACertAndKeyBaseName, "", "CA"}); err != nil { | ||
| return false, err.Error() |
There was a problem hiding this comment.
I actually preferred returning an error like you did in the earlier version, but I'm not blocking this PR on that
| return err | ||
| } | ||
|
|
||
| _, err := pkiutil.TryLoadKeyFromDisk(l.pkiDir, l.caBaseName) |
There was a problem hiding this comment.
Not needed for this PR; but in some future PR we should make sure the public key in the cert and key match each other (we have other places that do similar functionality like this so...)
| // If using external CA, pass empty string to controller manager instead of ca.key/ca.crt path, | ||
| // so that the csrsigning controller fails to start | ||
| if res, _ := certphase.UsingExternalCA(cfg); res { | ||
| defaultArguments["cluster-signing-key-file"] = "" |
There was a problem hiding this comment.
Gah, should have spotted this earlier, I realize delete(defaultArguments, "cluster...") is probably preferable over this method... WDYT?
It would be great to get an unit test for this as well if possible...
There was a problem hiding this comment.
The nice thing about setting to "" is that (in controller manager logs) you get:
Skipping "csrsigning"
instead of:
Failed to start certificate controller: error reading CA cert file "/etc/kubernetes/ca/ca.pem": open /etc/kubernetes/ca/ca.pem: no such file or directory
when using delete() which I think is slightly better, but I will switch them if you prefer.
There was a problem hiding this comment.
With that context (thanks for reminding me about the UX), it makes sense to pass ""
k8s-ci-robot
added
the
lgtm
| // If using external CA, pass empty string to controller manager instead of ca.key/ca.crt path, | ||
| // so that the csrsigning controller fails to start | ||
| if res, _ := certphase.UsingExternalCA(cfg); res { | ||
| defaultArguments["cluster-signing-key-file"] = "" |
There was a problem hiding this comment.
With that context (thanks for reminding me about the UX), it makes sense to pass ""
k8s-github-robot
added
the
approved
|
/retest Review the full test history for this PR. |
We allow a kubeadm user to use an external CA by checking to see if ca.key is missing and skipping cert checks and kubeconfig generation if ca.key is missing.
k8s-github-robot
removed
the
lgtm
|
@luxas @mikedanese I squashed my commits, can I get another lgtm? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: luxas, mikedanese, nckturner Associated issue: 280 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest |
|
/retest Review the full test history for this PR. |
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 50832, 51119, 51636, 48921, 51712) |
|
@nckturner: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
🎉 well done! |
We allow a kubeadm user to use an external CA by checking to see if ca.key is missing and skipping cert checks and kubeconfig generation if ca.key is missing. We also pass an empty arg --cluster-signing-key-file="" to kube controller manager so that the csr signer doesn't start.
What this PR does / why we need it:
This PR allows the kubeadm certs phase and kubeconfig phase to be skipped if the ca.key is missing but all other certs are present.
Which issue this PR fixes :
Fixes kubernetes/kubeadm/issues/280
Special notes for your reviewer:
@luxas @mikedanese @fabriziopandini
Release note: