Add configuration item to allow kubeadm join to use a dns name pointing to control plane #59288
Conversation
k8s-ci-robot
added
release-note
|
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews |
k8s-ci-robot
added
the
sig/cluster-lifecycle
cmd/kubeadm/app/cmd/phases/addons.go
Outdated
| @@ -145,6 +145,7 @@ func getAddonsSubCommands() []*cobra.Command { | |||
|
|
|||
| if properties.use == "all" || properties.use == "kube-proxy" { | |||
| cmd.Flags().StringVar(&cfg.API.AdvertiseAddress, "apiserver-advertise-address", cfg.API.AdvertiseAddress, `The IP address or DNS name the API server is accessible on`) | |||
| cmd.Flags().StringVar(&cfg.API.AdvertiseDNSAddress, "apiserver-advertise-dns-address", cfg.API.AdvertiseDNSAddress, `The DNS name the API server is accessible on`) | |||
There was a problem hiding this comment.
I think I've turned a blind eye to some of the flag proliferation, this seems awfully redundant.
/cc @errordeveloper
There was a problem hiding this comment.
part of the issue is the previous advertiseaddress was actually a listen address not an advertise.
timothysc
removed
the
needs-ok-to-test
|
Need a way to allow users to specify dns name for API server as well as the ip address in the event the API server host machine has multiple. There are the San certs, however multiple can be passed so which one would you choose. |
|
Any reason why we can't just use |
|
I started there when I began thinking through this PR to use |
There was a problem hiding this comment.
I think this is a pretty important change, and this will really help us close this gap. Thanks, @stevesloka!
cmd/kubeadm/test/util.go
Outdated
| @@ -57,7 +57,7 @@ func SetupMasterConfigurationFile(t *testing.T, tmpdir string, cfg *kubeadmapi.M | |||
| kind: MasterConfiguration | |||
| certificatesDir: {{.CertificatesDir}} | |||
| api: | |||
| advertiseAddress: {{.API.AdvertiseAddress}} | |||
| advertiseAddress: {{.API.AdvertiseDNSAddress}} | |||
There was a problem hiding this comment.
Is this change intentional? AdvertiseAddress should not be the same as AdvertiseDNSAddress
There was a problem hiding this comment.
Nope that's a mistake, thanks for catching.
| AdvertiseAddress string `json:"advertiseAddress"` | ||
| // AdvertiseDNSAddress sets the DNS address for the API server to advertise. | ||
| AdvertiseDNSAddress string `json:"advertiseDNSAddress"` |
There was a problem hiding this comment.
I find this naming a bit confusing as I don't think anything is being "advertised." While the kubelet uses the terminology of advertiseAddress to specify which IP the server is listening on, this new argument is being used only to indicate where a node should register itself. Perhaps a more descriptive argument would be controlPlaneEndpoint?
There was a problem hiding this comment.
I think controlPlane make sense, I'll move to that, take out the args, and do a verify it works via the config.
timothysc
added
the
do-not-merge/hold
|
per sig conversation, we should leverage the config object to allow for updates and try not to proliferate cmd line flags b/c anything we do will have to be maintained post GA. |
k8s-github-robot
added
the
needs-rebase
stevesloka
force-pushed
the
apiServerDNS
branch
2 times, most recently
from
e082520 to
e58598b
Compare
k8s-github-robot
removed
the
needs-rebase
stevesloka
changed the title
|
@timothysc @craigtracey I updated to only use the config, also rebased and pushed. |
| @@ -143,7 +143,7 @@ func getControlPlaneSubCommands(outDir, defaultKubernetesVersion string) []*cobr | |||
| cmd.Flags().StringVar(&cfg.KubernetesVersion, "kubernetes-version", cfg.KubernetesVersion, `Choose a specific Kubernetes version for the control plane`) | |||
|
|
|||
| if properties.use == "all" || properties.use == "apiserver" { | |||
| cmd.Flags().StringVar(&cfg.API.AdvertiseAddress, "apiserver-advertise-address", cfg.API.AdvertiseAddress, "The IP address or DNS name the API server is accessible on") | |||
| cmd.Flags().StringVar(&cfg.API.AdvertiseAddress, "apiserver-advertise-address", cfg.API.AdvertiseAddress, "The IP address of the API server is accessible on") | |||
There was a problem hiding this comment.
So I need to look through history here. I think other changes that crib'd hostIP from self-hosting affected this. Sorry it's taking a while but we want the original intent to be preserved. @kad if you have a moment could you dig the change, otherwise i'll have to search for it tomorrow.
There was a problem hiding this comment.
This is actually a defect. The kube-apiserver only accepts an IP for --advertise-address.
https://kubernetes.io/docs/reference/generated/kube-apiserver/
I believe what @stevesloka has here is correct.
There was a problem hiding this comment.
Just for reference: Yes this can only be an IP and #56956 was just merged to validate this.
|
Does anyone have time this week to review? Curious if the implementation is acceptable or if anyone has any additional comments. |
|
/approve @kubernetes/sig-cluster-lifecycle-pr-reviews - For transparency I'd prefer someone non-heptio to lgtm |
k8s-ci-robot
added
the
approved
timothysc
removed
the
do-not-merge/hold
cmd/kubeadm/app/util/endpoint.go
Outdated
| if len(cfg.API.ControlPlaneEndpoint) > 0 { | ||
| errs := validation.IsDNS1123Subdomain(cfg.API.ControlPlaneEndpoint) | ||
| if len(errs) > 0 { | ||
| return "", fmt.Errorf("error parsing `ControlPlaneEndpoint` to valid dns subdomain") |
There was a problem hiding this comment.
Maybe here we want to provide to user more information about error ? e.g. what is wrong with domain provided.
stevesloka
force-pushed
the
apiServerDNS
branch
from
c5cc16d to
fd3eca8
Compare
|
@kad I spit the commits into 2, one for code and the other for autogen bazel deps. Also, I have the validation of the DNS address return the errors from validation method, and updated the error message to show those errors which get returned. |
|
@stevesloka Thanks. Changes in |
stevesloka
force-pushed
the
apiServerDNS
branch
from
fd3eca8 to
dc03cc0
Compare
|
@kad I've moved the zz_generated over to the 2nd commit |
|
Does anyone have any additional comments on this PR? |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stevesloka, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all Tests are more than 96 hours old. Re-running tests. |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
First-time kubeadm user here: The v1.10.0 docs indicate that config file use is experimental, but judging from the comments on kubernetes/kubernetes#59288 it looks like new features are beginning to be supported only in the config file. controlPlaneEndpoint is super useful for us and while I suspect the kubeadm init docs will ultimately be re-written to emphasize the config file options rather than flags (with appropriate examples and descriptions as the flags have now), it would've saved us some time today if we'd seen controlPlaneEndpoint in the config file example.
This switches kubeadm to use the new ControlPlaneEndpoint options introduced in kubernetes/kubernetes#59288
First-time kubeadm user here: The v1.10.0 docs indicate that config file use is experimental, but judging from the comments on kubernetes/kubernetes#59288 it looks like new features are beginning to be supported only in the config file. controlPlaneEndpoint is super useful for us and while I suspect the kubeadm init docs will ultimately be re-written to emphasize the config file options rather than flags (with appropriate examples and descriptions as the flags have now), it would've saved us some time today if we'd seen controlPlaneEndpoint in the config file example.
|
Is this merge request included in the last kubeadm release? If I try to use this flag, kubeadm complains |
|
Same here? How to use this flag? @stevesloka |
|
Or are we allowing to pass DNS name under this flag? "--apiserver-advertise-address" |
|
Can someone update please? |
|
you should use --control-plane-endpoint / ControlPlaneEndpoint (in config) which is a kubeadm construct / concept. it's the endpoint that sits in front of API servers.
https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta3/ for more questions please use #kubeadm on k8s slack. |
This adds a new flag (
--apiserver-advertise-dns-address) to kubeadm which is used in node kubelet.confg to point to API server allowing users to define a DNS entry instead of an IP address.Fixes kubernetes/kubeadm#411
// @timothysc @craigtracey