Revert kubelet server tls bootstrap (backport to v5) #1257
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
when the admin upgrades from 1.17 -> 1.18, the admin would do: - skuba node upgrade apply (loop all control plane nodes and worker nodes) - skuba addon upgrade apply then at the first control plane node upgrade, usually the admin checks all the pods in the stable state, however, since the first control node sets `serverTLSBootstrap: true` which means it sends out kubelet server CSR in the cluster but there is no CSR signer right now (kucero installed later in `skuba addon upgrade apply`). therefore, the metrics-server would be crash loopback state because the kubelet server does not have it's server certificate right now (it seems like the kubelet does not honor in-disk kubelet.crt which is generated by skuba if `serverTLSBootstrap: true`. Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
jenting
changed the title
cclhsu
approved these changes
Jul 16, 2020
innobead
approved these changes
Jul 16, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why is this PR needed?
when the admin upgrades from 1.17 -> 1.18, the admin would do:
then at the first control plane node upgrade, usually the admin checks all the pods in the stable state, however, since the first control node sets
serverTLSBootstrap: truewhich means it sends out kubelet server CSR in the cluster but there is no CSR signer right now (kucero installed later inskuba addon upgrade apply).therefore, the metrics-server would be crash loopback state because the kubelet server does not have it's server certificate right now (it seems like the kubelet does not honor in-disk kubelet.crt which is generated by skuba if
serverTLSBootstrap: true.What does this PR do?
serverTLSBootstrap: truebut instead skuba generates the kubelet server certificateAnything else a reviewer needs to know?
It's a backport PR to
release-caasp-5.0.0, related to #1248.Info for QA
This is info for QA so that they can validate this. This is mandatory if this PR fixes a bug.
If this is a new feature, a good description in "What does this PR do" may be enough.
Related info
Info that can be relevant for QA:
Status BEFORE applying the patch
The kubelet configuration
/var/lib/kubelet/config.yamlwould haveserverTLSBootstrap: truein fresh install or upgraded cluster.Status AFTER applying the patch
The kubelet configuration
/var/lib/kubelet/config.yaml would not haveserverTLSBootstrap: truein fresh install or upgraded cluster.Docs
If docs need to be updated, please add a link to a PR to https://github.com/SUSE/doc-caasp.
At the time of creating the issue, this PR can be work in progress (set its title to [WIP]),
but the documentation needs to be finalized before the PR can be merged.
Merge restrictions
(Please do not edit this)
We are in v4-maintenance phase, so we will restrict what can be merged to prevent unexpected surprises: