Enable etcd-manager / etcd3 / etcd-tls in kops 1.12 #6359
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
approved
justinsb
force-pushed
the
integration_etcd
branch
from
9db26ea to
9bd954a
Compare
k8s-ci-robot
added
needs-rebase
justinsb
force-pushed
the
integration_etcd
branch
2 times, most recently
from
2ac6a2b to
27e0645
Compare
k8s-ci-robot
added
size/XL
justinsb
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
cc @gambol99 heads-up on TLS changes - enabling TLS by default in 1.12, using new CA keys which are split for peers & clients. |
justinsb
force-pushed
the
integration_etcd
branch
2 times, most recently
from
56c0fe0 to
f9c2493
Compare
justinsb
force-pushed
the
integration_etcd
branch
from
f9c2493 to
63b7e69
Compare
k8s-ci-robot
added
size/L
In 1.12 (kops & kubenetes): * We default etcd-manager on * We default to etcd3 * We default to full TLS for etcd (client and peer) * We stop allowing external access to etcd
justinsb
force-pushed
the
integration_etcd
branch
from
63b7e69 to
31f408c
Compare
|
Maybe add a few lines to the documentation that etcd-manager is a default now? |
nodeup/pkg/model/etcd_manager_tls.go
Outdated
| } | ||
|
|
||
| { | ||
| p := filepath.Join(dir, name+".key") |
There was a problem hiding this comment.
nit: Looks a little duplicated to me if the only change to line 142 is the file suffix
There was a problem hiding this comment.
There's also the byte slice we're writing, the file mode, and the error message :-) I think it would be hard to dedup this - though very open to suggestions!
There was a problem hiding this comment.
What about
{
path := filepath.Join(dir, name)
{
if err := ioutil.WriteFile(p+".crt", certBytes, 0644); err != nil {
return fmt.Errorf("error writing certificate key file %q: %v", p+".crt", err)
}
}
{
<CODE HERE>
}
}
Not tested but would keep the filepath consistent. Even though I hate how it's appended two times now...
| scheme := "http" | ||
| if isTLS { | ||
| scheme = "https" | ||
| } |
There was a problem hiding this comment.
Feels like we block the option to disable tls as something fixed here? Not that insecure is a good thing but this feels like taking away customizability that was once there and some clusters might rely on.
There was a problem hiding this comment.
So if we specify etcdInsecure (above), etcd-manager will override the scheme in the URLs here.
We could allow users to specify etcd insecure (somehow). Currently we default the fields to on when etcd-manager is in use, and because they're bool and not *bool it is difficult to know whether the value is false or just unset, but we could create another field.
The workaround for now is to set the etcd provider back to legacy, but that option will go away in 1.13. But if there are people that need insecure, maybe we can rely on this workaround for now.
There was a problem hiding this comment.
Oh, I missed this is etcdmanager only. Ignore this 👍
|
Added a commit which updates docs to make it less alpha sounding, but still encourage backups. I also need to get this into the release notes - I had started it ... somewhere |
|
Also added some release notes, though they mostly refer to the etcd-manager doc (rather than repeating it entirely!) |
Thanks for suggestion @chrisz100!
justinsb
force-pushed
the
integration_etcd
branch
from
492050c to
f024129
Compare
k8s-ci-robot
added
the
lgtm
…not visible in terraformer
In 1.12 (kops & kubenetes):