-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Add certificateKey field to v1beta2 config #77012
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @rosti, LGTM.
Note 1: +1
Note 2: +1
Note 3: Not a strong opinion, but I feel that put it on InitConfiguration/JoinControlPlane is better for ux, I also like the idea of keep the certificateEncryptionKey in the same "config" of tokens.
@@ -105,6 +105,7 @@ func ValidateNodeRegistrationOptions(nro *kubeadm.NodeRegistrationOptions, fldPa | |||
} | |||
allErrs = append(allErrs, ValidateSocketPath(nro.CRISocket, fldPath.Child("criSocket"))...) | |||
// TODO: Maybe validate .Taints as well in the future using something like validateNodeTaints() in pkg/apis/core/validation | |||
// TODO: Maybe validate that .CertificateKey is a valid hex encoded AES key |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
An example between the two different UX approaches in practice (Note 3).
vs the
@mauilion @joshrosso I would really appreciate an overview from UX perspective on this one. |
^ cc @seh |
i'm starting to realize that the kubeadm configuration is a bit weird WRT to bootstrap tokens:
the same problem happens now for the certs key. where should we put it? A) so if we want to follow the existing patterns we should have it as a root field of Init and have it as a field under Discovery. my vote goes for A), but i don't like any of the options. |
@neolit123 I think it would be more confusing if we put tokens in a central place. What if you have multiple ones, which one are you going to use for the discovery process? What if you don't want to use token for discovery (use kubeconfig instead)? |
From a UX perspective I am in favor of
Mainly because this seems a better separation of concerns. Ideally I would not want this key to end up on worker nodes even by accident. Writing it to the node registration struct will likely mean that the "common" join config will be made available to all nodes. |
I also prefer The benefit of So my suggestion is:
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rosti The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thank you @mauilion and @joshrosso for the UX review! |
|
||
// CertificateEncryptionKey sets the key with which certificates and keys are encrypted prior to being uploaded in | ||
// a secret in the cluster during the uploadcerts init phase. | ||
CertificateEncryptionKey string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for going with a common key name between join/init
CertificateKey
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 from me as well on the shared name, having separate naming makes it seem as if we are possibly using public key encryption rather than symmetric encryption
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My initial thought on that was, that users may get confused easily and questions like "I placed my key under JoinConfiguration, why is upload failing?" or "I placed my key in InitConfuguration, why is my download failing?" may arise.
But then, since this is the prevailing opinion, then I'll shorten the names.
PR updated again, moved to |
This change introduces config fields to the v1beta2 format, that allow certificate key to be specified in the config file. This certificate key is a hex encoded AES key, that is used to encrypt certificates and keys, needed for secondary control plane nodes to join. The same key is used for the decryption during control plane join. It is important to note, that this key is never uploaded to the cluster. It can only be specified on either command line or the config file. The new fields can be used like so: --- apiVersion: kubeadm.k8s.io/v1beta2 kind: InitConfiguration certificateKey: "yourSecretHere" --- apiVersion: kubeadm.k8s.io/v1beta2 kind: JoinConfiguration controlPlane: certificateKey: "yourSecretHere" --- Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the change seems good to me!
/lgtm
/hold
hold until EOD today on lazy consensus.
lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/hold cancel |
/retest Review the full test history for this PR. Silence the bot with an |
What type of PR is this?
/kind feature
What this PR does / why we need it:
This change introduces config fields to the v1beta2 format, that allow certificate key to be specified in the config file. This certificate key is a hex encoded AES key, that is used to encrypt certificates and keys, needed for secondary control plane nodes to join. The same key is used for the decryption
during control plane join.
It is important to note, that this key is never uploaded to the cluster. It can only be specified on either command line or the config file.
The new fields can be used like so:
Note 1: I thought about adding validation of the key (should be hex encoded AES key + probably verify minimal key length), but since this was not done for the command line flag, I perceive it as out of scope for this PR. Hence, only a TODO is added.
Note 2: Currently, the command line option does not override the config file option. Instead an error is printed if both are specified. I am open to change for this behavior.
Note 3:
This is the variant where a single field is added toNodeRegistrationOptions
. Another possibility is to addcertificateEncryptionKey
toInitConfiguration
andcertificateDecryptionKey
toJoinControlPlane
. This may be a little bit more intuitive for users. I have no strong opinion, I can easily switch ways if needed.Thanks to feedback from @mauilion and @joshrosso, I switched the PR to the change suggested in Note 3.
Which issue(s) this PR fixes:
Refs:
Special notes for your reviewer:
Please, review only the top commit. Depends on #76710
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
/area kubeadm
/priority important-soon
/assign @fabriziopandini
/assign @timothysc
/assign @neolit123
/assign @yagonobre
Does this PR introduce a user-facing change?: