✨ Add EncryptionAlgorithm to Kubeadmconfig #12859
Conversation
k8s-ci-robot
added
area/provider/bootstrap-kubeadm
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
|
Need to add Unit test cases and fix existing tests Not super confident about the changes, Have broken some interfaces as well, Based on the initial review and if the path chosen is correct, I will update accordingly. @sbueringer Please take a look when time permits. |
|
|
||
| // Generate Cluster Kubeconfig if needed | ||
| if result, err := r.reconcileKubeconfig(ctx, controlPlane); !result.IsZero() || err != nil { | ||
| if result, err := r.reconcileKubeconfig(ctx, controlPlane); err != nil || !result.IsZero() { |
There was a problem hiding this comment.
Reverted it.
May not be either needed or relevant wrt to this PR, but I feel its better to maintain a standard for this, I see some places
!result.IsZero() || err != nil and in some other err != nil || !result.IsZero()
IDE suggesting to check error first
There was a problem hiding this comment.
Got it. Makes sense and I agree with checking error first. Let's just do this everywhere and in a separate PR.
Feel free to open a PR, but please on top of #12857 / or after 12857 is merged (I get rid of some of these cases in that PR)
There was a problem hiding this comment.
Sure, I will do it later. Thank you.
|
@sbueringer thanks for the review, I have updated accordingly and ready for next round of review. Please take a look when time permints. I tried in the approach of changing the existing thing rather than avoiding the breakage for users, I will remember it for the next time. Thanks |
All good. I think it's a bit of a trade-off and probably also a case-by-case decision. Thx for asking for early feedback! I'll take another look |
util/kubeconfig/kubeconfig.go
Outdated
|
|
||
| // New creates a new Kubeconfig using the cluster name and specified endpoint. | ||
| func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer) (*api.Config, error) { | ||
| func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer, options ...KubeConfigurationOption) (*api.Config, error) { |
There was a problem hiding this comment.
| func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer, options ...KubeConfigurationOption) (*api.Config, error) { | |
| func New(clusterName, endpoint string, caCert *x509.Certificate, caKey crypto.Signer, options ...KubeconfigOption) (*api.Config, error) { |
Just for consistency with a few other places
There was a problem hiding this comment.
Thought of doing that bases on your earlier feed back but it gives me warning that the interface Name startes with package name "kubeconfig", if that good to go, then I can rename
There was a problem hiding this comment.
Fine to ignore. We often try to consider that but sometimes the alternative is worse 😀
(The current name doesn't trigger the warning but the "problem" (that it stutters) isn't really gone. But I think KubeconfigOption is just the best name here)
There was a problem hiding this comment.
Ok, In that case, I can rename it to KubeconfigOption
|
Did another quick round of review. I think the e2e test failure might just be a flake but let's see /retest If tests are green and the findings above are addressed I would do a full review (just need a bigger block of time for that) |
|
|
||
| // GetKeyEncryptionAlgorithm returns the control plane EncryptionAlgorithm. | ||
| func (c *ControlPlane) GetKeyEncryptionAlgorithm() bootstrapv1.EncryptionAlgorithmType { | ||
| return c.KCP.Spec.KubeadmConfigSpec.ClusterConfiguration.EncryptionAlgorithm |
There was a problem hiding this comment.
q: should we return the "default" encryption algo used by CAPI(or kubeadm) in case the field is not set?
Considering we are carrying this info around and using it, being explicit could help in throubleshooting...
There was a problem hiding this comment.
Yeah, Thats good option. Updated it.
| // the default size of 2048. | ||
| func rsaKeySizeFromAlgorithmType(keyEncryptionAlgorithm bootstrapv1.EncryptionAlgorithmType) int { | ||
| switch keyEncryptionAlgorithm { | ||
| case bootstrapv1.EncryptionAlgorithmRSA2048, "": |
There was a problem hiding this comment.
, "" is sort of confusing (added a comment also in control_plane.go)
There was a problem hiding this comment.
Have to take another look, but probably we have to handle this here in case folks are not setting the EncyprtionAlgorithm option (or do the defaulting one level higher or so)
But godoc at least would be helpful
| g.Expect(err).ToNot(HaveOccurred()) | ||
|
|
||
| workloadCluster, err := m.GetWorkloadCluster(ctx, tt.clusterKey) | ||
| workloadCluster, err := m.GetWorkloadCluster(ctx, tt.clusterKey, "") |
There was a problem hiding this comment.
Let's use the default encryption algo instead of ""
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
Some misconfiguration, will check |
|
Maybe similar to #12859 (comment) |
|
@Karthik-K-N: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Just checking again to make sure it passes. |
|
/test pull-cluster-api-e2e-main Triggering all for more data |
4 participants
What this PR does / why we need it:
This PR adds EncryptionAlgorithm to KubeadmConfig and necessary changes
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes ##10077
/area provider/bootstrap-kubeadm