Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add external_openstack_cacert file from host #11377

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Nathanael-Mtd
Copy link

What type of PR is this?
/kind feature

What this PR does / why we need it:
Same as with the in-tree openstack cloud controller, copy external_openstack_cacert file retrieved from ansible host to the control-plane for secret creation.

Does this PR introduce a user-facing change?:

It remove the needs of manual copy of the openstack ca-cert file to the first control plane.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. labels Jul 12, 2024
Copy link

linux-foundation-easycla bot commented Jul 12, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: Nathanael-Mtd / name: Nathanaël M. (5a8e019)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Jul 12, 2024
@k8s-ci-robot
Copy link
Contributor

Welcome @Nathanael-Mtd!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 12, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @Nathanael-Mtd. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Jul 12, 2024
Copy link
Contributor

@mzaian mzaian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 13, 2024
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 26, 2024
@yankay
Copy link
Member

yankay commented Jul 29, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 29, 2024
@yankay
Copy link
Member

yankay commented Aug 1, 2024

/retest

@ant31
Copy link
Contributor

ant31 commented Aug 6, 2024

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ant31, mzaian, Nathanael-Mtd

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 6, 2024
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@Nathanael-Mtd
Copy link
Author

Hi @yankay, I made a mistake the last time with a merge request instead of rebase (but fixed since weeks), and lgtm tag was removed. Can you re-check if it's ok, and @ErikJiang can you review this PR please ?
Thank you !

@VannTen
Copy link
Contributor

VannTen commented Sep 28, 2024

Can you squash the fix commit into the first ? Except that, this should be good.

@Nathanael-Mtd
Copy link
Author

@VannTen Done. Thank you

Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed a few things, see comments.

mode: "0640"
when:
- inventory_hostname == groups['kube_control_plane'][0]
- external_openstack_cacert is defined
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not actually resolved, please remove the is defined check

@Nathanael-Mtd
Copy link
Author

@VannTen I changed the behavior to make the same configuration as cinder by using cacert directly from hostPath instead of secret

Copy link
Contributor

@VannTen VannTen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(also, don't forge to run pre-commit before pushing (I know I always do !), it helps catch some stuff.

mode: "0640"
when:
- inventory_hostname == groups['kube_control_plane'][0]
- external_openstack_cacert is defined
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not actually resolved, please remove the is defined check

@@ -110,3 +111,9 @@ spec:
- name: cloud-config-volume
secret:
secretName: external-openstack-cloud-config
{% if external_openstack_cacert is defined and external_openstack_cacert != "" %}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, I think it's fine now !

@VannTen
Copy link
Contributor

VannTen commented Oct 3, 2024 via email

@Nathanael-Mtd
Copy link
Author

Yes but I tried to be coherent with cinder config before : https://github.com/kubernetes-sigs/kubespray/blob/master/roles/kubernetes-apps/csi_driver/cinder/tasks/main.yml#L13
But no problem, I understand now, I will keep the length > 0 !

@VannTen
Copy link
Contributor

VannTen commented Oct 3, 2024 via email

@VannTen
Copy link
Contributor

VannTen commented Oct 3, 2024 via email

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 3, 2024
@Nathanael-Mtd
Copy link
Author

Hmm yeah it seems to be a breaking change.
Overall there are something weird in how it works before that PR, because if I'm not wrong the var external_openstack_cloud_config_secret (from External OpenStack Cloud Controller | Get base64 cloud-config step) is made by using values from ansible host, and Get base64 cacert from remote host, no ?

That's what I found out during my deployment

@VannTen
Copy link
Contributor

VannTen commented Oct 8, 2024

The change appear to have been made in #7603 but I don't get why it changed from copy to slurp 🤔

@Nathanael-Mtd
Copy link
Author

Oh, I think that's linked to UIDs/GIDs, and I just saw that I use root user in my clusters instead of kube and kube-cert.
I think we can forget my PR. But I still need to figure out why the openstack certificate present on ansible host was not copied to the secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants