You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(session): manage KAP mTLS agent credentials (#1264)
## Summary
- keep only the KAP mTLS status and credential-update session commands;
kubeconfig is now fixed during Lepton bootstrap
- validate each per-machine certificate, identity, endpoint, and CA
fingerprint before writing an immutable credential generation
- atomically switch the `current` symlink, restart the agent, and
acknowledge the update only after `/readyz` succeeds
- remove enable/disable state, kubeconfig mutation, pending markers,
nested TLS preflight, and automatic rollback
- keep certificate and private-key material redacted from session audit
logs
## Rollout
- the companion Lepton MR
[dgxc-lepton/lepton!7510](https://gitlab-master.nvidia.com/dgxc-lepton/lepton/-/merge_requests/7510)
installs the agent by default on new nodes and points kubelet at
loopback from bootstrap
- existing nodes are not backfilled; Lepton reconciles only Machines
that report the `kap-mtls-agent` package
- release this gpud change before or with the Lepton node-init rollout;
failures leave new nodes blocked before kubelet registration
## Verification
- `GOFLAGS=-mod=mod go test -count=1 ./pkg/kapmtls`
- `GOFLAGS=-mod=mod go test -count=1 -gcflags='all=-N -l' ./pkg/session`
- `GOFLAGS=-mod=mod go test -race ./pkg/kapmtls`
- `GOFLAGS=-mod=mod go vet ./pkg/kapmtls ./pkg/session`
The repository-wide default `pkg/session` test command requires Mockey's
`-gcflags='all=-N -l'` on macOS/arm64; the changed package scope passes
with that required flag.
Jira: LEP-5336
---------
Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Gyuho Lee <gyuhol@nvidia.com>
0 commit comments