Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support more auth strategies in kubeadm join with discovery file #110553

Merged
merged 3 commits into from Jun 14, 2022
Merged

Support more auth strategies in kubeadm join with discovery file #110553

merged 3 commits into from Jun 14, 2022

Conversation

tallaxes
Copy link

@tallaxes tallaxes commented Jun 14, 2022
edited

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds support for the remaining client-go authentication strategies in kubeadm join with discovery/kubeconfig file: client-go authentication plugins (exec), tokenFile, and authProvider. This removes unnecessary constraints on which auth strategies can be used for kubeadm join, and supports use cases that require one of these auth strategies.

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#2708

Special notes for your reviewer:

Does this PR introduce a user-facing change?

kubeadm: Added support for additional authentication strategies in `kubeadm join` with discovery/kubeconfig file: client-go authentication plugins (`exec`), `tokenFile`, and `authProvider`

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 14, 2022
@k8s-ci-robot
Copy link
Contributor

Welcome @tallaxes!

It looks like this is your first PR to kubernetes/kubernetes 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/kubernetes has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 14, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @tallaxes. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. labels Jun 14, 2022
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 14, 2022
@pacoxu
Copy link
Member

pacoxu commented Jun 14, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jun 14, 2022
@neolit123
Copy link
Member

The change seems good @tallaxes Thank you
Could you please squash the commits into 1 as it is a contained change.

/approve

@neolit123
Copy link
Member

/priority backlog
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/backlog Higher priority than priority/awaiting-more-evidence. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 14, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, tallaxes

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 14, 2022
@pacoxu
Copy link
Member

pacoxu commented Jun 14, 2022

/label tide/merge-method-squash
can squash commits into one as well.

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jun 14, 2022
@neolit123
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 14, 2022
@k8s-ci-robot k8s-ci-robot merged commit 4a54260 into kubernetes:master Jun 14, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.25 milestone Jun 14, 2022
@tallaxes tallaxes deleted the kubeadm-support-go-client-plugin branch June 14, 2022 16:50
@sftim
Copy link
Contributor

sftim commented Jun 25, 2022

Does this change need a docs update?

@pacoxu
Copy link
Member

pacoxu commented Jun 28, 2022

I think we should update the docs.

If kubeadm join is invoked with --discovery-file, file discovery is used; this file can be a local file or downloaded via an HTTPS URL; in case of HTTPS, the host installed CA bundle is used to verify the connection.

https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-join/
https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/

The current docs don't mention support for TokenFile or AuthProvider.

@pacoxu
Copy link
Member

pacoxu commented Jun 28, 2022

kubernetes/cmd/kubeadm/app/cmd/join.go

Lines 87 to 96 in b07ee36

There are 2 main schemes for discovery. The first is to use a shared
token along with the IP address of the API server. The second is to
provide a file - a subset of the standard kubeconfig file. This file
can be a local file or downloaded via an HTTPS URL. The forms are
kubeadm join --discovery-token abcdef.1234567890abcdef 1.2.3.4:6443,
kubeadm join --discovery-file path/to/file.conf, or kubeadm join
--discovery-file https://url/file.conf. Only one form can be used. If
the discovery information is loaded from a URL, HTTPS must be used.
Also, in that case the host installed CA bundle is used to verify
the connection.

The second is to provide a file - a subset of the standard kubeconfig file.

We support token only at first and now we support tokenFile and authProvider. We may update the comment here.

@pacoxu pacoxu mentioned this pull request Jun 28, 2022
Merged
muyangren2 pushed a commit to muyangren2/kubernetes that referenced this pull request Jul 14, 2022
@tallaxes @muyangren2
Support more auth strategies in kubeadm join with discovery file (k…
348e11e 
…ubernetes#110553)

* Add support for client-go credential plugins

* Add support for authprovider authentication

* Add support for TokenFile authentication
@tallaxes tallaxes mentioned this pull request Sep 22, 2022
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabriziopandini fabriziopandini Awaiting requested review from fabriziopandini

@pacoxu pacoxu Awaiting requested review from pacoxu

Assignees

@neolit123 neolit123

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.25
Development

Successfully merging this pull request may close these issues.

kubeadm join discovery/kubeconfig file does not recognize client-go credential plugin
5 participants
@tallaxes @k8s-ci-robot @pacoxu @neolit123 @sftim