Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Fix adoption KubeadmControlPlane owned secrets #7592

Merged
merged 1 commit into from
Nov 29, 2022
Merged

🐛 Fix adoption KubeadmControlPlane owned secrets #7592

merged 1 commit into from
Nov 29, 2022

Conversation

killianmuldoon
Copy link
Contributor

Signed-off-by: killianmuldoon kmuldoon@vmware.com

Ensure that KubeadmControlPlane attempts to adopt secrets under its ownerReference on every reconcile. Part of this change ensures that KubeadmConfigController never creates secrets as long as a ControlPlaneReference is set in the Cluster.Spec.

Part of #6979 , #7575

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 22, 2022
@killianmuldoon killianmuldoon changed the title Fix KubeadmControlPlane secrets should always be adopted 🐛 Fix KubeadmControlPlane secrets should always be adopted Nov 22, 2022
@killianmuldoon killianmuldoon mentioned this pull request Nov 22, 2022
Closed
@killianmuldoon killianmuldoon changed the title 🐛 Fix KubeadmControlPlane secrets should always be adopted 🐛 Fix adoption KubeadmControlPlane owned secrets Nov 22, 2022
@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch from 168da4c to 80ef10c Compare November 23, 2022 15:52
@sbueringer
Copy link
Member

/cherry-pick release-1.2

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.2 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sbueringer
Copy link
Member

/cherry-pick release-1.3

@k8s-infra-cherrypick-robot
Copy link

@sbueringer: once the present PR merges, I will cherry-pick it on top of release-1.3 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-full-main

@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch from 80ef10c to 0e81a0d Compare November 24, 2022 16:10
@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-full-main

@killianmuldoon
Copy link
Contributor Author

A couple of questions on this one to close out:

  1. How should we deal with user supplied certs? Currently the implementation of this PR is to add a controller ownerReference only if the cert is controlled by a KubeadmConfig. In all other cases it will only add a non-controller ownerReference. Note: the only real impact of a controller owner reference is that it's exclusive.
  2. What should be done with user-supplied kubeconfigs? This PR takes ownership of the kubeconfig following the naming scheme every time. A user-supplied kube-config would always be adopted in a cluster running KCP.

@sbueringer
Copy link
Member

sbueringer commented Nov 25, 2022
edited

Currently the implementation of this PR is to add a controller ownerReference only if the cert is controlled by a KubeadmConfig

As far as I can tell ensureCertificatesOwnerRef in the KCP controller always adds KCP as owner, not sure what I'm missing that it's only doing that when the cert is controlled by KubeadmConfig.

To be honest, not sure what we want to do here. When they are generated by us it definitely makes sense to have a controller ownerRef. If some other controller is generating them we shouldn't set a controller ownerRef (should we even set an ownerRef at all / do we own a customer generated secret / do we want to delete it on KCP deletion?). I wonder how we can distinguish the cases though. After ownerRefs are reset we can't do it by ownerRef.
Maybe we can decide it based on secret type?

	// ClusterSecretType defines the type of secret created by core components.
	ClusterSecretType corev1.SecretType = "cluster.x-k8s.io/secret" //nolint:gosec

We set it when generating the certs, it's not part of the doc (https://cluster-api.sigs.k8s.io/tasks/certs/using-custom-certificates.html) and the godoc comment explicitly states "secret created by core components".

As far as I can tell "user-supplied" kubeconfig is not a supported scenario and it also doesn't make a lot of sense. We documented how to provide "custom certificates" (https://cluster-api.sigs.k8s.io/tasks/certs/using-custom-certificates.html) but there is no mention of how to use a custom kubeconfig.

@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch from 0e81a0d to 352d663 Compare November 28, 2022 18:34
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 28, 2022
@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch 3 times, most recently from 2d5db42 to da77e2e Compare November 28, 2022 22:09
@sbueringer
Copy link
Member

/retest

fabriziopandini
fabriziopandini reviewed Nov 29, 2022
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change lgtm to me pending last round of nits + the question about code coverage.
WRT to code coverage, it will be enough for me to have a unit test around adoptKubeconfigSecret (assuming this will be faster than testing all the use cases in TestReconcileKubeconfigSecretDoesNotAdoptsUserSecrets, but I'll defer this to you)

api/v1beta1/common_types.go Outdated Show resolved Hide resolved
bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go Outdated Show resolved Hide resolved
bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go Outdated Show resolved Hide resolved
controlplane/kubeadm/internal/controllers/controller.go Outdated Show resolved Hide resolved
controlplane/kubeadm/internal/controllers/controller.go Outdated Show resolved Hide resolved
@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch 2 times, most recently from d413a95 to 22b7185 Compare November 29, 2022 13:02
@sbueringer
Copy link
Member

Changes so far lgtm from my side.

Feel free to merge independent of another review from my side.

@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch 3 times, most recently from 396250d to 1bcd318 Compare November 29, 2022 13:34
@sbueringer
Copy link
Member

Thank you!

/lgtm

/assign @fabriziopandini

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 29, 2022
@killianmuldoon
Fix KubeadmControlPlane secrets should always be adopted
f47c3d3 
Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
@killianmuldoon killianmuldoon force-pushed the fix-kubeadmcontrolplane-secret-adoption branch from 1bcd318 to f47c3d3 Compare November 29, 2022 13:39
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 29, 2022
@killianmuldoon
Copy link
Contributor Author

Last change added comments and one more case to the kubeadmconfig secret tests.

@sbueringer
Copy link
Member

Looks good as well

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 29, 2022
fabriziopandini
fabriziopandini reviewed Nov 29, 2022
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 29, 2022
@k8s-ci-robot k8s-ci-robot merged commit 8033662 into kubernetes-sigs:main Nov 29, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.4 milestone Nov 29, 2022
@k8s-infra-cherrypick-robot
Copy link

@sbueringer: #7592 failed to apply on top of branch "release-1.2":

Applying: Fix KubeadmControlPlane secrets should always be adopted
Using index info to reconstruct a base tree...
M	api/v1beta1/common_types.go
M	bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
M	controlplane/kubeadm/internal/controllers/controller.go
M	controlplane/kubeadm/internal/controllers/controller_test.go
M	controlplane/kubeadm/internal/controllers/helpers.go
M	controlplane/kubeadm/internal/controllers/helpers_test.go
Falling back to patching base and 3-way merge...
Auto-merging controlplane/kubeadm/internal/controllers/helpers_test.go
CONFLICT (content): Merge conflict in controlplane/kubeadm/internal/controllers/helpers_test.go
Auto-merging controlplane/kubeadm/internal/controllers/helpers.go
CONFLICT (content): Merge conflict in controlplane/kubeadm/internal/controllers/helpers.go
Auto-merging controlplane/kubeadm/internal/controllers/controller_test.go
CONFLICT (content): Merge conflict in controlplane/kubeadm/internal/controllers/controller_test.go
Auto-merging controlplane/kubeadm/internal/controllers/controller.go
Auto-merging bootstrap/kubeadm/internal/controllers/kubeadmconfig_controller.go
Auto-merging api/v1beta1/common_types.go
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
Patch failed at 0001 Fix KubeadmControlPlane secrets should always be adopted
When you have resolved this problem, run "git am --continue".
If you prefer to skip this patch, run "git am --skip" instead.
To restore the original branch and stop patching, run "git am --abort".

In response to this:

/cherry-pick release-1.2

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Nov 29, 2022
Merged
@k8s-infra-cherrypick-robot
Copy link

@sbueringer: new pull request created: #7659

In response to this:

/cherry-pick release-1.3

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@killianmuldoon killianmuldoon mentioned this pull request Nov 29, 2022
Closed
@sbueringer sbueringer mentioned this pull request Nov 30, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbueringer sbueringer sbueringer left review comments

@fabriziopandini fabriziopandini fabriziopandini left review comments

@stmcginnis stmcginnis Awaiting requested review from stmcginnis

Assignees

@sbueringer sbueringer

@fabriziopandini fabriziopandini

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.4
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@killianmuldoon @sbueringer @k8s-infra-cherrypick-robot @k8s-ci-robot @fabriziopandini