Kubespray: Issues with client admin.conf in v2.9

Created on 4 May 2019  路  3Comments  路  Source: kubernetes-sigs/kubespray

In version v2.9, kubespray changes from downloading admin.conf from a master to the client, to using " kubeadm alpha kubeconfig user" command to generate a user admin.conf, the PR is here:
https://github.com/kubernetes-sigs/kubespray/pull/4056

This command requires that the "server" entry in the admin.conf be an ip-address, because it does not support providing DNS names. This is discussed here:
https://github.com/kubernetes-sigs/kubespray/pull/4060/files
and documented here:
https://v1-13.docs.kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-alpha/#cmd-phase-kubeconfig

This change introduces two issues when using an external load-balancer:
1) Kubespray no longer supports using the apiserver_loadbalancer_domain_name variable for the admin.conf instead of loadbalancer_apiserver.address. There are clear reasons as to why we would want a domain name instead of an IP address.

2) The client admin.conf cannot access the cluster, giving a message:
unable to connect to the server: x509: certificate is valid for 192.168.160.1, 10.33.101.215, 192.168.190.1, 127.0.0.1, 10.33.101.215, not 10.33.89.15 (10.33.89.15 being the IP address in admin.conf)
- There is a workaround by supplying the loadbalancer_apiserver.address to the supplementary_addresses_in_ssl_keys variable.
- I'm wondering if the loadbalancer_apiserver.address variable should be aggregated into the apiserver_sans list which is used in the apiServerCertSANs section of the kubeadmin-config:
https://github.com/kubernetes-sigs/kubespray/blob/release-2.9/roles/kubernetes/master/tasks/kubeadm-setup.yml#L46

I would be happy to submit a PR for the second issue, but is there anything we can do about the first issue? If apiserver_loadbalancer_domain_name is provided, then download the admin.conf instead of creating it with kubeadmin?

kinbug
Source
picture bosatsu

All 3 comments

I might be missing something, but I don't think that this PR resolves either problem raised in this issue, and would like to reopen it.

bosatsu picture bosatsu on 6 May 2019

You are right.

The loadbalancer_apiserver.address should be aggregated to the apiserver_sans

Can you provide a PR, thanks!

woopstar picture woopstar on 6 May 2019
👍1

Thanks for reopening the issue, and yes will try and get a PR submitted this week.

Any thoughts about the possibility of adding back support for using apiserver_loadbalancer_domain_name when provided in the admin.conf instead of loadbalancer_apiserver.address. I understand it's not yet supported in kubeadm, but still would much prefer to have the dns name in the admin.conf instead of an IP. I can write up a PR that simply downloads the admin.conf (the way kubespray 2.8 does it) when apiserver_loadbalancer_domain_name is provided, instead of using kubeadmin to generate the config. Or maybe a variable choosing that option? Or another option?

bosatsu picture bosatsu on 6 May 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

butuzov picture butuzov  路  4Comments
servo1x picture servo1x  路  4Comments
supabibz picture supabibz  路  3Comments
mjlshen picture mjlshen  路  3Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments