Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: add hubself cert manage mode that use bearer token to bootstrap yurthub agent #120

Merged
merged 1 commit into from
Sep 30, 2020
Merged

Feature: add hubself cert manage mode that use bearer token to bootstrap yurthub agent #120

merged 1 commit into from
Sep 30, 2020

Conversation

rambohe-ch
Copy link
Member

yurthub is currently communicating with master using the kubelet component's certificate(/etc/kubernetes/kubelet.conf), and when the node certificate expires, yurthub will not work because kubelet cannot update the node certificate via yurthub.

To solve this case, add node certificate generation and cycle updating ability to yurthub, so yurthub without kubelet node certificate can communicate with master. and when node certificate expires, yurthub can update it by itself.

Fei-Guo
Fei-Guo reviewed Sep 29, 2020
View reviewed changes
pkg/yurthub/certificate/hubself/cert_mgr.go
@@ -0,0 +1,596 @@
package hubself
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add file header.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed

@Fei-Guo
Copy link
Member

Fei-Guo commented Sep 29, 2020

To solve this case, add node certificate generation and cycle updating ability to yurthub, so yurthub without kubelet node certificate can communicate with master. and when node certificate expires, yurthub can update it by itself.

Can you elaborate:

  1. Where to get the JoinToken when starting the cert manager?
  2. What is the workflow of handling node cert expiration with the new code? I assume the (ycm *yurtHubCertManager) Update() method will be called but I don't see the caller.

charleszheng44
charleszheng44 reviewed Sep 30, 2020
View reviewed changes
Copy link
Member

@charleszheng44 charleszheng44 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, the PR is good. I just have a question regarding the "jointoken." When the yurthub starts to run, the kubelet should have connected to the kube-apiserver already. Can we reuse the kubelet's bootstrap config instead of passing the "jointoken" through the command line?

@charleszheng44 charleszheng44 self-requested a review September 30, 2020 03:36
charleszheng44
charleszheng44 approved these changes Sep 30, 2020
View reviewed changes
Copy link
Member

@charleszheng44 charleszheng44 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rambohe-ch rambohe-ch force-pushed the feature/yurthub-cert-mgr-mode branch from 442f0dd to be56b40 Compare September 30, 2020 07:01
@rambohe-ch
Copy link
Member Author

rambohe-ch commented Sep 30, 2020
edited
Loading

To solve this case, add node certificate generation and cycle updating ability to yurthub, so yurthub without kubelet node certificate can communicate with master. and when node certificate expires, yurthub can update it by itself.

Can you elaborate:

  1. Where to get the JoinToken when starting the cert manager?

when transfer k8s worker node into openyurt worker node, currently yurtctl deploy a yurthub on the node. so bootstrap join token will be created by yurtctl before yurthub deployment. and we will add this implementation in another pull request.

  1. What is the workflow of handling node cert expiration with the new code? I assume the (ycm *yurtHubCertManager) Update() method will be called but I don't see the caller.

yeah, the caller for cert update will be added in another pull request

@rambohe-ch
Copy link
Member Author

Overall, the PR is good. I just have a question regarding the "jointoken." When the yurthub starts to run, the kubelet should have connected to the kube-apiserver already. Can we reuse the kubelet's bootstrap config instead of passing the "jointoken" through the command line?

if no join token is set for yurthub when hubself cert mode is selected, orginal kubelet.conf also will be used.

@Fei-Guo Fei-Guo merged commit 288aee5 into openyurtio:master Sep 30, 2020
wenjun93 pushed a commit to wenjun93/openyurt that referenced this pull request Nov 26, 2020
@rambohe-ch @kadisi
Feature: add hubself cert manage mode that use bearer token to bootst…
916a6a5 
…rap yurthub agent (openyurtio#120)
@rambohe-ch rambohe-ch deleted the feature/yurthub-cert-mgr-mode branch May 27, 2021 06:27
@qclc qclc mentioned this pull request Nov 11, 2021
Closed
MrGirl pushed a commit to MrGirl/openyurt that referenced this pull request Mar 29, 2022
@rambohe-ch
Feature: add hubself cert manage mode that use bearer token to bootst…
78a7079 
…rap yurthub agent (openyurtio#120)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fei-Guo Fei-Guo Fei-Guo left review comments

@charleszheng44 charleszheng44 charleszheng44 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rambohe-ch @Fei-Guo @charleszheng44