Bootstrap with pre-defined identities #3400
Conversation
Adds a new --core-identities-file kcp flag. On-behalf-of: @SAP [email protected] Signed-off-by: Robert Vasek <[email protected]>
kcp-ci-bot
added
release-note
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@gman0: The following test failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
| var coreIdentities coreIdentitiesFile | ||
| bs, err := os.ReadFile(identitiesFilename) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to read core identities file %s: %v", identitiesFilename, err) | ||
| } | ||
| if err = yaml.UnmarshalStrict(bs, &coreIdentities); err != nil { | ||
| return fmt.Errorf("failed to parse YAML file %s: %v", identitiesFilename, err) | ||
| } |
There was a problem hiding this comment.
| var coreIdentities coreIdentitiesFile | |
| bs, err := os.ReadFile(identitiesFilename) | |
| if err != nil { | |
| return fmt.Errorf("failed to read core identities file %s: %v", identitiesFilename, err) | |
| } | |
| if err = yaml.UnmarshalStrict(bs, &coreIdentities); err != nil { | |
| return fmt.Errorf("failed to parse YAML file %s: %v", identitiesFilename, err) | |
| } | |
| bs, err := os.ReadFile(identitiesFilename) | |
| if err != nil { | |
| return fmt.Errorf("failed to read core identities file %s: %v", identitiesFilename, err) | |
| } | |
| var coreIdentities coreIdentitiesFile | |
| if err := yaml.UnmarshalStrict(bs, &coreIdentities); err != nil { | |
| return fmt.Errorf("failed to parse YAML file %s: %v", identitiesFilename, err) | |
| } |
| s.BootstrapApiExtensionsClusterClient.Cluster(core.RootCluster.Path()).Discovery(), | ||
| s.DynamicClusterClient.Cluster(core.RootCluster.Path()), | ||
| s.KubeClusterClient.Cluster(core.RootCluster.Path()), | ||
| s.Options.Extra.CoreIdentitiesFile, |
There was a problem hiding this comment.
E.g. here the file is read pkg/server and then the contents are handed off:
Lines 369 to 389 in e2ba960
Might also make it easier to test config without having to write the contents out to a file rather than just passing the bytes.
| @@ -166,6 +167,7 @@ func (o *Options) AddFlags(fss *cliflag.NamedFlagSets) { | |||
| fs.StringVar(&o.Extra.ShardClientKeyFile, "shard-client-key-file", o.Extra.ShardClientKeyFile, "Path to a client certificate key file the shard uses to communicate with other system components.") | |||
| fs.StringVar(&o.Extra.LogicalClusterAdminKubeconfig, "logical-cluster-admin-kubeconfig", o.Extra.LogicalClusterAdminKubeconfig, "Kubeconfig holding system:kcp:logical-cluster-admin credentials for connecting to other shards. Defaults to the loopback client") | |||
| fs.StringVar(&o.Extra.ExternalLogicalClusterAdminKubeconfig, "external-logical-cluster-admin-kubeconfig", o.Extra.ExternalLogicalClusterAdminKubeconfig, "Kubeconfig holding system:kcp:external-logical-cluster-admin credentials for connecting to the external address (e.g. the front-proxy). Defaults to the loopback client") | |||
| fs.StringVar(&o.Extra.CoreIdentitiesFile, "core-identities-file", "", "Path to a YAML file with APIExport - Identity secret Identity key pairs. Defaults to empty, i.e. all identities are generated.") | |||
There was a problem hiding this comment.
the format must be documented. In the docs, and If it's super simple, then here too.
There was a problem hiding this comment.
Maybe you mean that in the description. Maybe `.... with a map where keys are X and values are Y. What are the keys? What is a identity secret? Are these write 1:1 to the secret of the same name? Try to be clear and precise.
There was a problem hiding this comment.
Also it must be very clear what happens if the secrets are pre-existing.
| @@ -166,6 +167,7 @@ func (o *Options) AddFlags(fss *cliflag.NamedFlagSets) { | |||
| fs.StringVar(&o.Extra.ShardClientKeyFile, "shard-client-key-file", o.Extra.ShardClientKeyFile, "Path to a client certificate key file the shard uses to communicate with other system components.") | |||
| fs.StringVar(&o.Extra.LogicalClusterAdminKubeconfig, "logical-cluster-admin-kubeconfig", o.Extra.LogicalClusterAdminKubeconfig, "Kubeconfig holding system:kcp:logical-cluster-admin credentials for connecting to other shards. Defaults to the loopback client") | |||
| fs.StringVar(&o.Extra.ExternalLogicalClusterAdminKubeconfig, "external-logical-cluster-admin-kubeconfig", o.Extra.ExternalLogicalClusterAdminKubeconfig, "Kubeconfig holding system:kcp:external-logical-cluster-admin credentials for connecting to the external address (e.g. the front-proxy). Defaults to the loopback client") | |||
| fs.StringVar(&o.Extra.CoreIdentitiesFile, "core-identities-file", "", "Path to a YAML file with APIExport - Identity secret Identity key pairs. Defaults to empty, i.e. all identities are generated.") | |||
There was a problem hiding this comment.
| fs.StringVar(&o.Extra.CoreIdentitiesFile, "core-identities-file", "", "Path to a YAML file with APIExport - Identity secret Identity key pairs. Defaults to empty, i.e. all identities are generated.") | |
| fs.StringVar(&o.Extra.CoreIdentitiesFile, "core-identities-file", "", "Path to a YAML file with APIExport - identity secret identity key pairs. Defaults to empty, i.e. all identities are generated.") |
| @@ -0,0 +1,43 @@ | |||
| /* | |||
| Copyright 2022 The KCP Authors. | |||
Summary
This PR adds a way to inject identities from a file while performing phase0 bootstrapping, making it possible to override core identities with pre-defined ones.
The file is expected to by YAML-formatted, passed via
--core-identities-filekcp command line flag; its structure is rather simple, see the linked issue for reference.What Type of PR Is This?
/kind feature
Related Issue(s)
Fixes #3320
Release Notes