Configure and install out-of-tree gcp credential provider #111495
Conversation
k8s-ci-robot
added
release-note-none
|
@ndixita: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @ndixita. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-priority
|
/milestone v1.26 |
|
@ndixita: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
area/provider/gcp
|
@ndixita: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cc @ruiwen-zhao |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest |
|
/cc @bobbypage |
ndixita
force-pushed
the
node-e2e-gcp-cred-provider
branch
from
1cce947
to
e0b72d0
Compare
cluster/gce/gci/configure.sh
Outdated
| local auth_config_file="${KUBE_HOME}/cri_auth_config.yaml" | ||
| cat >> "${auth_config_file}" << EOF | ||
| kind: CredentialProviderConfig | ||
| apiVersion: kubelet.config.k8s.io/v1alpha1 |
There was a problem hiding this comment.
should the api version be /v1beta1?
cluster/gce/gci/configure.sh
Outdated
| @@ -644,6 +683,16 @@ function install-kube-binary-config { | |||
| log-wrap "RemountFlexVolume" remount-flexvolume-directory "${VOLUME_PLUGIN_DIR}" | |||
| fi | |||
|
|
|||
| # When ENABLE_AUTH_PROVIDER_GCP is set, following flags for out-of-tree credential provider for GCP | |||
| # are presented to kubelet: | |||
| # --feature-gates=DisableKubeletCloudCredentialProviders=true,KubeletCredentialProviders=true | |||
There was a problem hiding this comment.
This comment regarding feature gate being enabled automatically with ENABLE_AUTH_PROVIDER_GCP is no longer true (maybe note that it is required that those two feature gates should be enabled)
cluster/gce/gci/configure.sh
Outdated
| @@ -546,6 +548,43 @@ function install-containerd-ubuntu { | |||
| sudo systemctl start containerd | |||
| } | |||
|
|
|||
| function install-auth-provider-gcp { | |||
| local -r auth_provider_tar="auth-provider-gcp-${DEFAULT_AUTH_PROVIDER_GCP_VERSION}-${HOST_PLATFORM}_amd64.tar.gz" | |||
There was a problem hiding this comment.
Instead of hardcoding _amd64.tar.gz, I would use the use ${HOST_ARCH} (so we can expand it to other arch later if needed).
i.e. follow same naming scheme as NPD:
local -r npd_tar="node-problem-detector-${npd_version}-${HOST_PLATFORM}_${HOST_ARCH}.tar.gz"
https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure.sh#L290
dchen1107
added
priority/important-soon
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, ndixita The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
ndixita
force-pushed
the
node-e2e-gcp-cred-provider
branch
from
e0b72d0
to
d1deca1
Compare
k8s-ci-robot
removed
the
lgtm
|
/retest |
|
Thanks for the updates! /lgtm |
k8s-ci-robot
added
the
lgtm
|
the alpha e2e job has been red for about 3 days, corresponding roughly with when this PR merged... is there any config in the alpha job that would cause problems with this configuration? |
|
trying the alpha e2e job with #112075 reverting this change to see if that resolves the bring-up error |
|
This PR is a no-op unless ENABLE_AUTH_PROVIDER_GCP is set. And I dont think any test job has set up ENABLE_AUTH_PROVIDER_GCP yet. |
|
For tracking purposes, this PR is for kubernetes/enhancements#2133 |
What type of PR is this?
/kind feature
/sig node
/sig testing
What this PR does / why we need it:
This PR adds GCP-specific implementation for tests to validate external credential provider feature in order to promote the feature to GA. Changes include:
Special notes for your reviewer:
Does this PR introduce a user-facing change?