Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugfix: use correct service-account-issuer in case of custom clusterDomain #2342

Merged
merged 2 commits into from
Jan 2, 2025
Merged

bugfix: use correct service-account-issuer in case of custom clusterDomain #2342

merged 2 commits into from
Jan 2, 2025
+436 −2

Conversation

vardhaman-surana
Copy link
Contributor

@vardhaman-surana vardhaman-surana commented Dec 18, 2024
edited by neogopher
Loading

What issue type does this pull request address? (keep at least one, remove the others)
/kind bugfix

What does this pull request do? Which issues does it resolve? (use resolves #<issue_number> if possible)
resolves #2315

The PR adds the correct service account issuer to the apiserver in case custom clusterdomain is set using networking.advanced.clusterDomain.
It also fixes _coredns.tpl in the chart to correctly use custom clusterdomain in coredns configuration.

Please provide a short message that should be published in the vcluster release notes
Fixed an issue where vcluster was setting wrong service-account-issuer in case of custom clusterDomain.

What else do we need to know?

in case of the custom cluster domain the service account token for the vcluster pods is created with audiences

"https://kubernetes.default.svc.<custom-domain>", "https://kubernetes.default.svc", "https://kubernetes.default"

and because of the issuer set to https://kubernetes.default.svc.cluster.local the apiserver rejects the authentication request for the token. with the error

invalid bearer token, token audiences ["https://kubernetes.default.svc.<custom-domain>", "https://kubernetes.default.svc", "https://kubernetes.default"] is invalid for the target audiences ["https://kubernetes.default.svc.cluster.local"]

for k0s setting just the clusterDomain in the config file works. and for k3s users needs to use correct settings as below

networking:
  advanced:
    clusterDomain: "k8s.my-cluster"
controlPlane:
  distro:
    k3s:
      enabled: true
      extraArgs: ["--cluster-domain=k8s.my-cluster"]

@netlify Netlify
Copy link

netlify bot commented Dec 18, 2024
edited
Loading

Deploy Preview for vcluster-docs canceled.

Built without sensitive environment variables

Name Link
🔨 Latest commit 2ed2297
🔍 Latest deploy log https://app.netlify.com/sites/vcluster-docs/deploys/67626f5fc44ea0000863a8d3

@vardhaman-surana vardhaman-surana changed the title fix service account issuer in case of custom cluster domain fix service-account-issuer in case of custom cluster domain Dec 18, 2024
@vardhaman-surana vardhaman-surana changed the title fix service-account-issuer in case of custom cluster domain fix service-account-issuer in case of custom clusterDomain Dec 18, 2024
@vardhaman-surana vardhaman-surana changed the title fix service-account-issuer in case of custom clusterDomain bugfix: use correct service-account-issuer in case of custom clusterDomain Dec 18, 2024
@FabianKramm
Copy link
Member

@vardhaman-surana thanks for the PR! Looks good to me!

@FabianKramm FabianKramm merged commit b742f55 into loft-sh:main Jan 2, 2025
64 checks passed
loft-bot pushed a commit that referenced this pull request Jan 2, 2025
@vardhaman-surana
bugfix: use correct service-account-issuer in case of custom clusterD…
1911291 
…omain (#2342)

* fix service account issuer for custom cluster domain

* set clusterdomain value in _coredns.tpl

(cherry picked from commit b742f55)
@loft-bot loft-bot mentioned this pull request Jan 2, 2025
Open
loft-bot pushed a commit that referenced this pull request Jan 2, 2025
@vardhaman-surana
bugfix: use correct service-account-issuer in case of custom clusterD…
b319bed 
…omain (#2342)

* fix service account issuer for custom cluster domain

* set clusterdomain value in _coredns.tpl

(cherry picked from commit b742f55)
@loft-bot
Copy link

loft-bot commented Jan 2, 2025

💔 Some backports could not be created

Status Branch Result
v0.20 Backport failed because of merge conflicts
v0.21
v0.22

Manual backport

To create the backport manually run:

backport --pr 2342

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

@loft-bot loft-bot mentioned this pull request Jan 2, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FabianKramm FabianKramm FabianKramm approved these changes

Assignees
No one assigned
Labels
backport-to-v0.20 backport this PR to v0.20 branch backport-to-v0.21 backport-to-v0.22
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kubedns not starting when using custom clusterDomain
4 participants
@vardhaman-surana @FabianKramm @loft-bot @neogopher