Skip to content
This repository has been archived by the owner on Apr 22, 2020. It is now read-only.

Don't pass true for bool type flag --discovery-token-unsafe-skip-ca-verification #488

Closed
wants to merge 1 commit into from
Closed

Don't pass true for bool type flag --discovery-token-unsafe-skip-ca-verification #488

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion phase2/kubeadm/configure-vm-kubeadm-node.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@

# This is not meant to run on its own, but extends phase2/kubeadm/configure-vm-kubeadm.sh

kubeadm join --token "$KUBEADM_TOKEN" "$KUBEADM_MASTER_IP:443" --skip-preflight-checks --discovery-token-unsafe-skip-ca-verification true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍
also, we should pass this flag ONLY if the kubeadm version is v1.8 or higher.
The versions below that didn't have this feature.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. 👍

@shashidharatd I'm not familiar with kubeadm version management/check in kubernetes-anywhere. Could you please help fix this? Thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe can ues KUBEADM_VERSION, already have this variable in this file.
But KUBEADM_VERSION is a link like :gs://kubernetes-release-dev/bazel/v1.10.0-alpha.0.631+e7ad6e60081887/bin/linux/amd64/.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes but the variable is also used in openstack and seems like there it uses "stable" version from another link. It makes it complicated to check the version. And I can't test it out on an gce cloud :(

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, its complicated. off hand what i could think of is to extract a semver from KUBEADM_VERSION and write a semver matching function and based on the condition use the right option for --discovery-token-unsafe-skip-ca-verification flag.

AFAIK, the KUBEADM_VERSION can be either one of 2 values.

  • stable
  • an URL pointing to GCS like the one prefixed with gs://

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shashidharatd sounds great! Thanks! BTW, do you have cycle to help implement this?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xiangpengzhao, i am giving it a try. will raise a PR once my GCE local testing pass.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@shashidharatd cool, thanks!

kubeadm join --token "$KUBEADM_TOKEN" "$KUBEADM_MASTER_IP:443" --skip-preflight-checks --discovery-token-unsafe-skip-ca-verification