Skip to content

OCPBUGS-8301: Use correct CAs in kubeconfig files #1440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 2 commits into from
Mar 14, 2023
Merged

OCPBUGS-8301: Use correct CAs in kubeconfig files #1440

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8daea70
OCPBUGS-8301: Use correct CAs in kubeconfig files
pacevedom Mar 3, 2023
6bc9b79
OCPBUGS-8301: Update docs
pacevedom Mar 6, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions docs/openshift_ci.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,16 +31,14 @@ MicroShift generates a set of kubeconfig files in default configuration:
# tree /var/lib/microshift/resources/kubeadmin/
/var/lib/microshift/resources/kubeadmin/
├── kubeconfig
├── localhost
│ └── kubeconfig
├── microshift-dev
│ └── kubeconfig
└── microshift-dev.localdomain
└── kubeconfig

3 directories, 4 files
```
Using default configuration there is a kubeconfig for each of the subject alternative names, localhost, and the one at the root directory which is using the cluster URL. If cluster URL is not using localhost then all these files are not generated.
Using default configuration there is a kubeconfig for each of the subject alternative names and the one at the root directory which is using the cluster URL, which defaults to localhost.

Having a DNS (or simply changing `/etc/hosts`) we have to select which of the kubeconfig files we need to use according to it. In this case we may copy the `microshift-dev` kubeconfig to our local environment and we will be able to use `oc`:
```
Expand Down
25 changes: 14 additions & 11 deletions pkg/cmd/init.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,6 @@ func certSetup(cfg *config.MicroshiftConfig) (*certchains.CertificateChains, err
[]string{"kubelet-signer", "kube-csr-signer"},
).WithCABundle(
cryptomaterial.ServiceAccountTokenCABundlePath(certsDir),
[]string{"kube-apiserver-external-signer"},
[]string{"kube-apiserver-localhost-signer"},
[]string{"kube-apiserver-service-network-signer"},
).Complete()
Expand Down Expand Up @@ -370,9 +369,13 @@ func initKubeconfigs(
cfg *config.MicroshiftConfig,
certChains *certchains.CertificateChains,
) error {
inClusterTrustBundlePEM, err := os.ReadFile(cryptomaterial.ServiceAccountTokenCABundlePath(cryptomaterial.CertsDirectory(microshiftDataDir)))
externalTrustPEM, err := os.ReadFile(cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerExternalSigner(cryptomaterial.CertsDirectory(microshiftDataDir))))
if err != nil {
return fmt.Errorf("failed to load the in-cluster trust bundle: %v", err)
return fmt.Errorf("failed to load the external trust signer: %v", err)
}
internalTrustPEM, err := os.ReadFile(cryptomaterial.CACertPath(cryptomaterial.KubeAPIServerLocalhostSigner(cryptomaterial.CertsDirectory(microshiftDataDir))))
if err != nil {
return fmt.Errorf("failed to load the internal trust signer: %v", err)
}

adminKubeconfigCertPEM, adminKubeconfigKeyPEM, err := certChains.GetCertKey("admin-kubeconfig-signer", "admin-kubeconfig-client")
Expand All @@ -390,12 +393,12 @@ func initKubeconfigs(
}

// Generate one kubeconfigs per name
for _, name := range append(cfg.SubjectAltNames, cfg.NodeName, "localhost") {
for _, name := range append(cfg.SubjectAltNames, cfg.NodeName) {
u.Host = fmt.Sprintf("%s:%d", name, apiServerPort)
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigAdminPath(name),
u.String(),
inClusterTrustBundlePEM,
externalTrustPEM,
adminKubeconfigCertPEM,
adminKubeconfigKeyPEM,
); err != nil {
Expand All @@ -406,7 +409,7 @@ func initKubeconfigs(
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigPath(config.KubeAdmin),
cfg.Cluster.URL,
inClusterTrustBundlePEM,
internalTrustPEM,
adminKubeconfigCertPEM,
adminKubeconfigKeyPEM,
); err != nil {
Expand All @@ -420,7 +423,7 @@ func initKubeconfigs(
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigPath(config.KubeControllerManager),
cfg.Cluster.URL,
inClusterTrustBundlePEM,
internalTrustPEM,
kcmCertPEM,
kcmKeyPEM,
); err != nil {
Expand All @@ -434,7 +437,7 @@ func initKubeconfigs(
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigPath(config.KubeScheduler),
cfg.Cluster.URL,
inClusterTrustBundlePEM,
internalTrustPEM,
schedulerCertPEM, schedulerKeyPEM,
); err != nil {
return err
Expand All @@ -447,7 +450,7 @@ func initKubeconfigs(
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigPath(config.Kubelet),
cfg.Cluster.URL,
inClusterTrustBundlePEM,
internalTrustPEM,
kubeletCertPEM, kubeletKeyPEM,
); err != nil {
return err
Expand All @@ -459,7 +462,7 @@ func initKubeconfigs(
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigPath(config.ClusterPolicyController),
cfg.Cluster.URL,
inClusterTrustBundlePEM,
internalTrustPEM,
clusterPolicyControllerCertPEM, clusterPolicyControllerKeyPEM,
); err != nil {
return err
Expand All @@ -472,7 +475,7 @@ func initKubeconfigs(
if err := util.KubeConfigWithClientCerts(
cfg.KubeConfigPath(config.RouteControllerManager),
cfg.Cluster.URL,
inClusterTrustBundlePEM,
internalTrustPEM,
routeControllerManagerCertPEM, routeControllerManagerKeyPEM,
); err != nil {
return err
Expand Down