Skip to content

Certificate signing controller for TLS bootstrap (alpha)#25764

Merged
k8s-github-robot merged 3 commits intokubernetes:masterfrom
gtank:certificates-api-controller-v3
Jul 20, 2016
Merged

Certificate signing controller for TLS bootstrap (alpha)#25764
k8s-github-robot merged 3 commits intokubernetes:masterfrom
gtank:certificates-api-controller-v3

Conversation

@gtank
Copy link
Copy Markdown

@gtank gtank commented May 17, 2016
edited
Loading

The controller handles generating and signing certificates when a CertificateSigningRequest has the "Approved" condition. Uses cfssl to support a wide set of possible keys and algorithms. Depends on PR #25562, only the last two commits are relevant to this PR.

cc @mikedanese

Analytics

@k8s-bot
Copy link
Copy Markdown

k8s-bot commented May 17, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

2 similar comments
@k8s-bot
Copy link
Copy Markdown

k8s-bot commented May 17, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@k8s-bot
Copy link
Copy Markdown

k8s-bot commented May 17, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@k8s-github-robot k8s-github-robot added kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/new-api size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels May 17, 2016
@krousey krousey assigned mikedanese and unassigned krousey May 18, 2016
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 20, 2016
@gtank gtank mentioned this pull request May 24, 2016
Merged
@k8s-github-robot k8s-github-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 2, 2016
@k8s-bot
Copy link
Copy Markdown

k8s-bot commented Jun 14, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

1 similar comment
@k8s-bot
Copy link
Copy Markdown

k8s-bot commented Jun 15, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message may repeat a few times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

Otherwise, if this message is too spammy, please complain to ixdy.

@gtank gtank force-pushed the certificates-api-controller-v3 branch from 5c795c2 to e846e0b Compare June 27, 2016 23:20
@k8s-github-robot k8s-github-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. kind/old-docs labels Jun 27, 2016
@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Jun 28, 2016

@gtank please rebase.

@gtank gtank force-pushed the certificates-api-controller-v3 branch from e846e0b to 966eebd Compare June 28, 2016 22:26
@k8s-github-robot k8s-github-robot removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. kind/new-api labels Jun 28, 2016
@gtank gtank force-pushed the certificates-api-controller-v3 branch 2 times, most recently from ad54760 to 9feff4e Compare June 30, 2016 00:32
@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 30, 2016
@gtank gtank mentioned this pull request Jun 30, 2016
Closed
@gtank gtank force-pushed the certificates-api-controller-v3 branch from 9feff4e to 164dfdc Compare July 1, 2016 00:04
@euank
Copy link
Copy Markdown
Contributor

euank commented Jul 1, 2016

@k8s-bot test this issue: #27693

@gtank
Copy link
Copy Markdown
Author

gtank commented Jul 1, 2016

@mikedanese found the flake!

mikedanese
mikedanese reviewed Jul 2, 2016
View reviewed changes
Comment thread cmd/kube-controller-manager/app/controllermanager.go
)
if err != nil {
glog.Errorf("Failed to start certificate controller: %v", err)
} else {
Copy link
Copy Markdown
Member

@mikedanese mikedanese Jul 2, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the else. https://github.com/golang/go/wiki/CodeReviewComments#indent-error-flow

Copy link
Copy Markdown
Author

@gtank gtank Jul 5, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How else should this be done? It can't return or exit here, and shouldn't start the control loop if the signer failed to initialize. I can change the conditionals around to reduce indentation, but the control flow will be the same.

Copy link
Copy Markdown
Member

@mikedanese mikedanese Jul 7, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, misread, I withdraw comment

Copy link
Copy Markdown
Member

@justinsb justinsb Jul 20, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is it not glog.Fatalf though?

Copy link
Copy Markdown
Author

@gtank gtank Jul 22, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It isn't fatal to Kubernetes; there are a lot ways you could accomplish this task aside from running the signing controller.

@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Jul 2, 2016

Looks good.

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 13, 2016
@gtank gtank force-pushed the certificates-api-controller-v3 branch from 164dfdc to 902b9fa Compare July 19, 2016 18:26
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 19, 2016
@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Jul 19, 2016
edited
Loading

LGTM. Todo:

  1. kubelet integration
  2. e2e tests
  3. kubectl integration

cc @kubernetes/sig-cluster-lifecycle

@mikedanese mikedanese added lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed labels Jul 19, 2016
@k8s-bot
Copy link
Copy Markdown

k8s-bot commented Jul 20, 2016

GCE e2e build/test passed for commit 902b9fa.

@k8s-github-robot
Copy link
Copy Markdown

k8s-github-robot commented Jul 20, 2016

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit a279673 into kubernetes:master Jul 20, 2016
@philips philips mentioned this pull request Jul 22, 2016
Closed
@timothysc timothysc added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label Jul 26, 2016
@timothysc
Copy link
Copy Markdown
Contributor

timothysc commented Jul 26, 2016

/cc @dgoodwin

@MikeSpreitzer MikeSpreitzer mentioned this pull request Sep 15, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mikedanese mikedanese

Labels

kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@gtank @k8s-bot @mikedanese @euank @k8s-github-robot @timothysc @justinsb @krousey @googlebot