Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kube-apiserver: always create configmap/extension-apiserver-authentication #67694

Conversation

sttts
Copy link
Contributor

@sttts sttts commented Aug 22, 2018

Other components (aggregated apiservers) read the configmap and fail hard if it does not exist. But they work without all fields being set (#66394). In the future, components like ctrl-manager and scheduler won't need kube-apiserver to authenticate with them at all. So, consequently we should always create the file, even if it is empty.

Always create configmaps/extensions-apiserver-authentication from kube-apiserver.

…ation

Other components read the configmap and fail if it does not exist. Possibly not
every cluster has a client-ca or a request-header-ca.
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 22, 2018
@k8s-ci-robot k8s-ci-robot requested review from gmarek and piosz August 22, 2018 10:37
@sttts sttts added release-note-none Denotes a PR that doesn't merit a release note. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Aug 22, 2018
@sttts sttts changed the title kube-apiserver: create always configmap/extension-apiserver-authentication kube-apiserver: always create configmap/extension-apiserver-authentication Aug 22, 2018
@k8s-ci-robot k8s-ci-robot added do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Aug 22, 2018
@sttts
Copy link
Contributor Author

sttts commented Aug 22, 2018

/retest

rs flakes

@DirectXMan12
Copy link
Contributor

seems pretty reasonable to me

@lavalamp
Copy link
Member

/assign @cheftako

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Aug 24, 2018
@deads2k
Copy link
Contributor

deads2k commented Aug 24, 2018

/lgtm

/hold

holding to give @cheftako at least until next week if we wants it.

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Aug 24, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@sttts
Copy link
Contributor Author

sttts commented Aug 27, 2018

/retest

@sttts
Copy link
Contributor Author

sttts commented Aug 28, 2018

As discussed, unholding on Tuesday.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 28, 2018
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 67694, 64973, 67902). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 4007eed into kubernetes:master Aug 28, 2018
k8s-github-robot pushed a commit that referenced this pull request Aug 30, 2018
…-apiserver-authn-configmap

Automatic merge from submit-queue (batch tested with PRs 67764, 68034, 67836). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

apiserver: make not-found external-apiserver-authn configmap non-fatal

As client-ca and requestheader-client-ca is optional in the external-apiserver-authentication config file and components like kube-controller-manager and kube-scheduler won't need that anyway, we better make it non-fatal if the configmap is not found in the cluster.

Consumer counter-part PR to #67694.

```release-note
Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster.
```
k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Aug 30, 2018
…-apiserver-authn-configmap

Automatic merge from submit-queue (batch tested with PRs 67764, 68034, 67836). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

apiserver: make not-found external-apiserver-authn configmap non-fatal

As client-ca and requestheader-client-ca is optional in the external-apiserver-authentication config file and components like kube-controller-manager and kube-scheduler won't need that anyway, we better make it non-fatal if the configmap is not found in the cluster.

Consumer counter-part PR to kubernetes/kubernetes#67694.

```release-note
Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster.
```

Kubernetes-commit: 55859a60fe09c412e183c92ad265cf0d52fbe3d8
sttts pushed a commit to sttts/apiserver that referenced this pull request Sep 5, 2018
…-apiserver-authn-configmap

Automatic merge from submit-queue (batch tested with PRs 67764, 68034, 67836). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

apiserver: make not-found external-apiserver-authn configmap non-fatal

As client-ca and requestheader-client-ca is optional in the external-apiserver-authentication config file and components like kube-controller-manager and kube-scheduler won't need that anyway, we better make it non-fatal if the configmap is not found in the cluster.

Consumer counter-part PR to kubernetes/kubernetes#67694.

```release-note
Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster.
```

Kubernetes-commit: 55859a60fe09c412e183c92ad265cf0d52fbe3d8
k8s-publishing-bot added a commit to kubernetes/apiserver that referenced this pull request Sep 6, 2018
…-apiserver-authn-configmap

Automatic merge from submit-queue (batch tested with PRs 67764, 68034, 67836). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

apiserver: make not-found external-apiserver-authn configmap non-fatal

As client-ca and requestheader-client-ca is optional in the external-apiserver-authentication config file and components like kube-controller-manager and kube-scheduler won't need that anyway, we better make it non-fatal if the configmap is not found in the cluster.

Consumer counter-part PR to kubernetes/kubernetes#67694.

```release-note
Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster.
```

Kubernetes-commit: 55859a60fe09c412e183c92ad265cf0d52fbe3d8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants