check cert and token for import config #96
Conversation
zhujian7
force-pushed
the
import-config-ca-empty
branch
from
1105b5c
to
d0158fd
Compare
Signed-off-by: zhujian <jiazhu@redhat.com>
zhujian7
force-pushed
the
import-config-ca-empty
branch
from
d0158fd
to
62eb4c9
Compare
|
/assign @skeeey |
| @@ -224,6 +224,10 @@ func getValidCertificatesFromURL(serverURL string, rootCAs *x509.CertPool) ([]*x | |||
| // create kubeconfig from bootstrap secret | |||
| func createKubeconfigData(client client.Client, bootStrapSecret *corev1.Secret) ([]byte, error) { | |||
| saToken := bootStrapSecret.Data["token"] | |||
| if len(saToken) == 0 { | |||
| log.Error(nil, "No token value found in the boot strap secret", "secret name", bootStrapSecret.Name) | |||
There was a problem hiding this comment.
we may not need log this, this err will be requeued, so we can find it in the controller-runtime
|
|
||
| if !knownCAs { | ||
| // fallback to service account token ca.crt | ||
| if v := bootStrapSecret.Data["ca.crt"]; len(v) > 0 { |
There was a problem hiding this comment.
It seems the ca.crt is not required for corev1.SecretTypeServiceAccountToken,
SecretTypeServiceAccountToken contains a token that identifies a service account to the API
Required fields: - Secret.Annotations["kubernetes.io/service-account.name"] - the name of the ServiceAccount the token identifies - Secret.Annotations["kubernetes.io/service-account.uid"] - the UID of the ServiceAccount the token identifies - Secret.Data["token"] - a token that identifies the service account to the API
so do we need this? I think we may keep original logical in current phase
@zhiweiyin318 what's your opinion? and is the ca.crt missed in the QE env? if it is not missed, I think we don't need change this
There was a problem hiding this comment.
ca and token are both missed on the managed cluster ,but they exist in the import-secret.
There was a problem hiding this comment.
I checked the OCP on AWS, commonly there is no cert in apiservers.config.openshift.io/cluster. so the ca is fetched from the bootstrap-sa-token secret in bootstrap-sa.
the token and ca are both fetched from the bootstrap-sa-token secret. they will be empty in the import secret in the case the secret is not created before import.
we can only use token in the kubeconfig, but need add insecure-skip-tls-verify: true in it.
There was a problem hiding this comment.
// AddFlags adds flags related to ServiceAccountController for controller manager to the specified FlagSet
...
fs.StringVar(&o.RootCAFile, "root-ca-file", o.RootCAFile, "If set, this root certificate authority will be included in service account's token secret. This must be a valid PEM-encoded CA bundle.")
if root-ca-file is set, the ca.crt will be in the sa token secret.
in OCP, root-ca-file is set.
$ oc get pods -n openshift-kube-controller-manager kube-controller-manager-ip-10-0-137-110.ec2.internal -o yaml | grep root-ca-file
--root-ca-file=/etc/kubernetes/static-pod-resources/configmaps/serviceaccount-ca/ca-bundle.crt
Signed-off-by: zhujian <jiazhu@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: zhujian7 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Kudos, SonarCloud Quality Gate passed!
|
| if v := bootStrapSecret.Data["ca.crt"]; len(v) > 0 { | ||
| certData = v | ||
| } else { | ||
| log.Info("No ca.crt found in the boot strap secret", "secret name", bootStrapSecret.Name) |
There was a problem hiding this comment.
if we allow empty ca, we should add insecure-skip-tls-verify: true in bootstrap-kubeconfig. And need to check if we can registry a cluster using a kubeconfig without ca.
I suggest to return error here since ca is set in sa token secret in OCP.
Ref to: https://github.com/open-cluster-management/backlog/issues/16871
Signed-off-by: zhujian jiazhu@redhat.com