Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Drop caBundle from CRDs to support Kubernetes 1.31 #10972

Merged
merged 1 commit into from
Aug 1, 2024
Merged

🐛 Drop caBundle from CRDs to support Kubernetes 1.31 #10972

merged 1 commit into from
Aug 1, 2024

Conversation

sbueringer
Copy link
Member

@sbueringer sbueringer commented Jul 31, 2024
edited
Loading

Signed-off-by: Stefan Büringer buringerst@vmware.com

What this PR does / why we need it:
Starting with Kubernetes 1.31 it won't be possible anymore to continuously apply CRDs that are setting caBundle to an invalid value (in our case Cg==). The solution is to simply drop the caBundle field (it was never actually required by kube-apiserver).

For more details see: https://kubernetes.slack.com/archives/C0EG7JC6T/p1722441161968339

Let me know if you have any questions.

Going to backport this into all supported releases. It's never great to set the caBundle to an invalid value, even before Kubernetes 1.31

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-area PR is missing an area label size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 31, 2024
@k8s-ci-robot k8s-ci-robot requested review from chrischdi and elmiko July 31, 2024 17:56
@sbueringer sbueringer force-pushed the pr-drop-ca-bundle branch 2 times, most recently from 1320244 to 529dc2b Compare July 31, 2024 17:58
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jul 31, 2024
@sbueringer sbueringer added the area/api Issues or PRs related to the APIs label Jul 31, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/needs-area PR is missing an area label label Jul 31, 2024
@sbueringer
Copy link
Member Author

/cherry-pick release-1.8

@sbueringer
Copy link
Member Author

/cherry-pick release-1.7

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.8 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.7 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sbueringer
Copy link
Member Author

/cherry-pick release-1.6

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.6 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sbueringer
Drop caBundle from CRDs
ed83b13 
Signed-off-by: Stefan Büringer buringerst@vmware.com
@sbueringer
Copy link
Member Author

/test ?

@k8s-ci-robot
Copy link
Contributor

@sbueringer: The following commands are available to trigger required jobs:

  • /test pull-cluster-api-build-main
  • /test pull-cluster-api-e2e-blocking-main
  • /test pull-cluster-api-e2e-conformance-ci-latest-main
  • /test pull-cluster-api-e2e-conformance-main
  • /test pull-cluster-api-e2e-main
  • /test pull-cluster-api-e2e-mink8s-main
  • /test pull-cluster-api-e2e-upgrade-1-30-1-31-main
  • /test pull-cluster-api-test-main
  • /test pull-cluster-api-test-mink8s-main
  • /test pull-cluster-api-verify-main

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-apidiff-main

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-apidiff-main
  • pull-cluster-api-build-main
  • pull-cluster-api-e2e-blocking-main
  • pull-cluster-api-test-main
  • pull-cluster-api-verify-main

In response to this:

/test ?

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sbueringer
Copy link
Member Author

/test pull-cluster-api-e2e-conformance-ci-latest-main
/test pull-cluster-api-e2e-conformance-main
/test pull-cluster-api-e2e-main
/test pull-cluster-api-e2e-mink8s-main
/test pull-cluster-api-e2e-upgrade-1-30-1-31-main

@nrb nrb mentioned this pull request Jul 31, 2024
Merged
neolit123
neolit123 reviewed Jul 31, 2024
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve
/hold
drop hold if needed pls

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 31, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 31, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: af2eb9493e76557aff9d85ccb6eb495959456d86

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 31, 2024
@neolit123
Copy link
Member

/kind cleanup

@sbueringer
Copy link
Member Author

/test pull-cluster-api-e2e-main

@chrischdi
Copy link
Member

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrischdi, neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [chrischdi,neolit123]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sbueringer
Copy link
Member Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 1, 2024
@sbueringer sbueringer mentioned this pull request Aug 1, 2024
Merged
@k8s-ci-robot k8s-ci-robot merged commit c0c7cdf into kubernetes-sigs:main Aug 1, 2024
28 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.9 milestone Aug 1, 2024
@k8s-infra-cherrypick-robot
Copy link

@sbueringer: new pull request created: #10976

In response to this:

/cherry-pick release-1.8

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Aug 1, 2024
Merged
@k8s-infra-cherrypick-robot
Copy link

@sbueringer: #10972 failed to apply on top of branch "release-1.7":

Applying: Drop caBundle from CRDs
Using index info to reconstruct a base tree...
M	bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
A	docs/book/src/developer/providers/migrations/v1.7-to-v1.8.md
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): docs/book/src/developer/providers/migrations/v1.7-to-v1.8.md deleted in HEAD and modified in Drop caBundle from CRDs. Version Drop caBundle from CRDs of docs/book/src/developer/providers/migrations/v1.7-to-v1.8.md left in tree.
Auto-merging bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Drop caBundle from CRDs
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.7

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: #10972 failed to apply on top of branch "release-1.6":

Applying: Drop caBundle from CRDs
Using index info to reconstruct a base tree...
M	bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
A	docs/book/src/developer/providers/migrations/v1.7-to-v1.8.md
Falling back to patching base and 3-way merge...
CONFLICT (modify/delete): docs/book/src/developer/providers/migrations/v1.7-to-v1.8.md deleted in HEAD and modified in Drop caBundle from CRDs. Version Drop caBundle from CRDs of docs/book/src/developer/providers/migrations/v1.7-to-v1.8.md left in tree.
Auto-merging bootstrap/kubeadm/config/crd/patches/webhook_in_kubeadmconfigs.yaml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Drop caBundle from CRDs
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.6

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sbueringer sbueringer deleted the pr-drop-ca-bundle branch August 1, 2024 10:37
This was referenced Aug 1, 2024
Merged
Merged
@adilGhaffarDev adilGhaffarDev mentioned this pull request Aug 1, 2024
Merged
@chrischdi chrischdi mentioned this pull request Aug 1, 2024
Merged
This was referenced Aug 22, 2024
Closed
Merged
smira added a commit to smira/cluster-api-bootstrap-provider-talos that referenced this pull request Sep 11, 2024
@smira
fix: remove CA bundle
d08a0bb 
See kubernetes-sigs/cluster-api#10972

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira mentioned this pull request Sep 11, 2024
Merged
nrb added a commit to nrb/cluster-api-provider-aws that referenced this pull request Sep 20, 2024
@nrb
Remove the placeholder caBundle
14f9fc5 
Kubernetes 1.31 will no longer allow the caBundle field to continuously
reconcile to an invalid value. We'll fix this by leaving it blank.

See kubernetes-sigs/cluster-api#10972 for more
details.

Signed-off-by: Nolan Brubaker <nolan@nbrubaker.com>
This was referenced Sep 27, 2024
Merged
Merged
This was referenced Oct 31, 2024
Closed
Merged
@reyvonger reyvonger mentioned this pull request Nov 5, 2024
Merged
@reyvonger reyvonger mentioned this pull request Dec 11, 2024
Merged
@KrystianMarek KrystianMarek mentioned this pull request Jan 7, 2025
Merged
mergify bot added a commit to tinkerbell/cluster-api-provider-tinkerbell that referenced this pull request Jan 9, 2025
@mergify
rm caBundle (#433)
97ed2ed 
## Description

Drop caBundle from CRDs to support Kubernetes 1.31
kubernetes-sigs/cluster-api#10972

## Why is this needed

Allow provider to work with k8s 1.31

Fixes: #
```
message: 'action failed after 10 attempts: failed to patch provider object: CustomResourceDefinition.apiextensions.k8s.io
      "tinkerbellclusters.infrastructure.cluster.x-k8s.io" is invalid: spec.conversion.webhookClientConfig.caBundle:
      Invalid value: []byte{0xa}: unable to load root certificates: unable to parse
      bytes as PEM block'
```

Tests:

Deployed on local k8s 1.31, with tilt.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@chrischdi chrischdi Awaiting requested review from chrischdi

@elmiko elmiko Awaiting requested review from elmiko

Assignees

@neolit123 neolit123

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Issues or PRs related to the APIs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.9
Development

Successfully merging this pull request may close these issues.
5 participants
@sbueringer @k8s-infra-cherrypick-robot @k8s-ci-robot @neolit123 @chrischdi