-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CertSAN added as a patch json in clusterclass patches #372
base: main
Are you sure you want to change the base?
CertSAN added as a patch json in clusterclass patches #372
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #372 +/- ##
=======================================
Coverage 15.24% 15.24%
=======================================
Files 18 18
Lines 1207 1207
=======================================
Hits 184 184
Misses 1023 1023 ☔ View full report in Codecov by Sentry. |
/retest |
openAPIV3Schema: | ||
description: Set extra Subject Alternative Names (SANs) for the API Server | ||
signing certificate. | ||
type: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be a list of strings
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wanted to avoid any issue as mentioned in kubernetes-sigs/cluster-api#6245
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer | ||
valueFrom: | ||
template: | | ||
certSANs: [ {{ .apiServerSigningCertExtraCertSANs }} ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should just be {{ .apiServerSigningCertExtraCertSANs }}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could you please elaborate why it should be? it works current way
subnetName: "${NUTANIX_SUBNET_NAME}" | ||
- name: apiServerSigningCertExtraCertSANs | ||
value: "localhost, 127.0.0.1, 0.0.0.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be a list of strings rather than a CSV string
@@ -52,6 +52,8 @@ spec: | |||
systemDiskSize: ${NUTANIX_SYSTEMDISK_SIZE=40Gi} | |||
vcpuSockets: ${NUTANIX_MACHINE_VCPU_SOCKET=2} | |||
vcpusPerSocket: ${NUTANIX_MACHINE_VCPU_PER_SOCKET=1} | |||
- name: apiServerSigningCertExtraCertSANs | |||
value: localhost, 127.0.0.1, 0.0.0.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be a list of strings rather than a CSV string
schema: | ||
openAPIV3Schema: | ||
description: Set extra Subject Alternative Names (SANs) for the API Server signing certificate. | ||
type: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be a list of strings
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer | ||
valueFrom: | ||
template: | | ||
certSANs: [ {{ .apiServerSigningCertExtraCertSANs }} ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should just be {{ .apiServerSigningCertExtraCertSANs }}
reason: it was carry forward from docker provider and is not needed for nutanix provider kcp and kcpt
095fccd
to
b6556c9
Compare
- op: add | ||
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer | ||
valueFrom: | ||
template: | | ||
certSANs: [ {{ .apiServerSigningCertExtraCertSANs }} ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the limitation of inline patches and the difficulty of testing it :(
Having path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer
will remove all other options in apiServer
both from templates and set by previously applied patches.
I would suggest something like this (this is already being tested in DKP in e2e tests). This initializes an empty array and then sets certSANs
if apiServerSigningCertExtraCertSANs
is not empty. Please also note this includes new definitions
and jsonPatches
as these are unrelated patches to /spec/template/spec/kubeadmConfigSpec/users
.
- definitions:
- jsonPatches:
- op: add
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs
value: []
selector:
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlaneTemplate
matchResources:
controlPlane: true
description: Initializes the API server extra sans.
name: initializeKubeAPIServerExtraSans
- definitions:
- jsonPatches:
- op: add
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs
valueFrom:
variable: apiServerSigningCertExtraCertSANs
selector:
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlaneTemplate
matchResources:
controlPlane: true
description: Sets the extraSANs for a cluster
enabledIf: '{{ if . apiServerSigningCertExtraCertSANs }}true{{ end }}'
name: extraSANs
or simplified (untested):
- definitions:
- jsonPatches:
- op: add
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs
value: []
- op: add
path: /spec/template/spec/kubeadmConfigSpec/clusterConfiguration/apiServer/certSANs
valueFrom:
variable: apiServerSigningCertExtraCertSANs
selector:
apiVersion: controlplane.cluster.x-k8s.io/v1beta1
kind: KubeadmControlPlaneTemplate
matchResources:
controlPlane: true
description: Sets the extraSANs for a cluster
enabledIf: '{{ if . apiServerSigningCertExtraCertSANs }}true{{ end }}'
name: extraSANs
- name: apiServerSigningCertExtraCertSANs | ||
required: true | ||
schema: | ||
openAPIV3Schema: | ||
description: Set extra Subject Alternative Names (SANs) for the API Server | ||
signing certificate. | ||
type: string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And then you can make this an optional list.
- name: apiServerSigningCertExtraCertSANs | |
required: true | |
schema: | |
openAPIV3Schema: | |
description: Set extra Subject Alternative Names (SANs) for the API Server | |
signing certificate. | |
type: string | |
- name: apiServerSigningCertExtraCertSANs | |
schema: | |
openAPIV3Schema: | |
description: Set extra Subject Alternative Names (SANs) for the API Server | |
signing certificate. | |
type: array | |
items: | |
type: string |
What this PR does / why we need it:
Makes certSAN for apiServer configurable as variable in cluster with topology
certSANs[]string | certSANs sets extra Subject Alternative Names (SANs) for the API Server signing certificate.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
How Has This Been Tested?:
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration and test output
Special notes for your reviewer:
TODO:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
Release note: