Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.24] change windows calico setup to generate a sa token #2940

Merged
merged 7 commits into from
May 20, 2022
Merged

[1.24] change windows calico setup to generate a sa token #2940

merged 7 commits into from
May 20, 2022

Conversation

rosskirkpat
Copy link
Contributor

@rosskirkpat rosskirkpat commented May 18, 2022
edited
Loading

Proposed Changes

As part of the 1.24 service account token changes, RKE2 Windows agents can no longer start up due to the calico-node service account token missing since secrets aren't created by default for SAs in 1.24. This PR gets the calico-node service account and generates a token for it using the TokenRequest API.

This is caused by a change in Kubernetes 1.24, documented in the upstream changelog:

The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the TokenRequest API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this guide. (kubernetes/kubernetes#108309, @zshihang)

Types of Changes

bugfix

Verification

Provisioning testing as well as upgrading from 1.23 -> 1.24. Commit testing is passing using b290b7925f9393c2ad935015cb4087631adfc2af

NAME              STATUS   ROLES                       AGE   VERSION          INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                         KERNEL-VERSION    CONTAINER-RUNTIME
ec2amaz-ru7d335   Ready    <none>                      47s   v1.24.0          10.0.1.198    <none>        Windows Server 2019 Datacenter   10.0.17763.2928   containerd://1.6.4
ip-10-0-1-148     Ready    control-plane,etcd,master   8h    v1.24.0+rke2r1   10.0.1.148    <none>        Ubuntu 20.04.2 LTS               5.4.0-1045-aws    containerd://1.6.4-k3s1
ip-10-0-1-72      Ready    <none>                      8h    v1.24.0+rke2r1   10.0.1.72     <none>        Ubuntu 20.04.2 LTS               5.4.0-1045-aws    containerd://1.6.4-k3s1

Linked Issues

#2939

Further Comments

The RKE2 kubelet on windows throws an error regarding the image credential provider bin directory missing. This doesn't stop the node from becoming ready but I will open an issue for it: #2958

{Kubelet image credential provider bin directory check failed: CreateFile /var/lib/rancher/credentialprovider/bin: The system cannot find the path specified.}

{Running RKE2 kubelet [--cgroups-per-qos=false --enforce-node-allocatable= --file-check-frequency=5s --hairpin-mode=promiscuous-bridge --resolv-conf=
--sync-frequency=30s --address=0.0.0.0 --alsologtostderr=false --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook
--client-ca-file=C:\var\lib\rancher\rke2\agent\client-ca.crt --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime=remote
--container-runtime-endpoint=npipe:////./pipe/containerd-containerd --fail-swap-on=false --healthz-bind-address=127.0.0.1
--hostname-override=ec2amaz-ru7d335 --kubeconfig=C:\var\lib\rancher\rke2\agent\kubelet.kubeconfig --log-file=\var\lib\rancher\rke2\agent\logs\kubelet.log
--log-file-max-size=50 --logtostderr=false --node-labels= --pod-infra-container-image=index.docker.io/rancher/pause:3.6
--pod-manifest-path=C:\var\lib\rancher\rke2\agent\pod-manifests --read-only-port=0 --resolv-conf=C:\var\lib\rancher\rke2\agent\etc\resolv.conf
--serialize-image-pulls=false --stderrthreshold=FATAL --tls-cert-file=C:\var\lib\rancher\rke2\agent\serving-kubelet.crt
--tls-private-key-file=C:\var\lib\rancher\rke2\agent\serving-kubelet.key]}
{Running kubelet --address=0.0.0.0 --alsologtostderr=false --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook
--client-ca-file=C:\var\lib\rancher\rke2\agent\client-ca.crt --cluster-dns=10.43.0.10 --cluster-domain=cluster.local --container-runtime=remote
--container-runtime-endpoint=npipe:////./pipe/containerd-containerd --eviction-hard=imagefs.available<5%,nodefs.available<5%
--eviction-minimum-reclaim=imagefs.available=10%,nodefs.available=10% --fail-swap-on=false --healthz-bind-address=127.0.0.1
--hostname-override=ec2amaz-ru7d335 --kubeconfig=C:\var\lib\rancher\rke2\agent\kubelet.kubeconfig --log-file=\var\lib\rancher\rke2\agent\logs\kubelet.log
--log-file-max-size=50 --logtostderr=false --node-labels= --pod-infra-container-image=index.docker.io/rancher/pause:3.6
--pod-manifest-path=C:\var\lib\rancher\rke2\agent\pod-manifests --read-only-port=0 --resolv-conf=C:\var\lib\rancher\rke2\agent\etc\resolv.conf
--serialize-image-pulls=false --stderrthreshold=FATAL --tls-cert-file=C:\var\lib\rancher\rke2\agent\serving-kubelet.crt
--tls-private-key-file=C:\var\lib\rancher\rke2\agent\serving-kubelet.key}

@rosskirkpat rosskirkpat added this to the v1.24.1 + rke2r1 milestone May 18, 2022
@rosskirkpat rosskirkpat requested a review from a team as a code owner May 18, 2022 20:29
@rosskirkpat rosskirkpat self-assigned this May 18, 2022
phillipsj
phillipsj approved these changes May 18, 2022
View reviewed changes
Copy link
Contributor

@phillipsj phillipsj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

brandond
brandond requested changes May 18, 2022
View reviewed changes
pkg/windows/calico.go Outdated Show resolved Hide resolved
@rosskirkpat rosskirkpat requested a review from brandond May 18, 2022 23:18
brandond
brandond requested changes May 18, 2022
View reviewed changes
pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Show resolved Hide resolved
@rosskirkpat rosskirkpat requested review from brandond and phillipsj May 19, 2022 00:53
brandond
brandond requested changes May 19, 2022
View reviewed changes
pkg/rke2/clusterrole_bootstrap.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
brandond
brandond requested changes May 19, 2022
View reviewed changes
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two nits on error returns but looks good other than that!

pkg/windows/calico.go Outdated Show resolved Hide resolved
pkg/windows/calico.go Outdated Show resolved Hide resolved
brandond
brandond requested changes May 19, 2022
View reviewed changes
pkg/windows/calico.go Outdated Show resolved Hide resolved
@rosskirkpat rosskirkpat force-pushed the bug/calico-sa-token-fix-1.24 branch from 6b886ce to 7366581 Compare May 19, 2022 19:35
brandond
brandond requested changes May 19, 2022
View reviewed changes
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

whoops, missed this one

pkg/rke2/clusterrole_bootstrap.go Outdated Show resolved Hide resolved
@rosskirkpat rosskirkpat changed the title change windows calico setup to generate a sa token [1.24] change windows calico setup to generate a sa token May 19, 2022
@rosskirkpat
Copy link
Contributor Author 

NAME              STATUS   ROLES                       AGE   VERSION          INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                         KERNEL-VERSION    CONTAINER-RUNTIME
ec2amaz-ru7d335   Ready    <none>                      47s   v1.24.0          10.0.1.198    <none>        Windows Server 2019 Datacenter   10.0.17763.2928   containerd://1.6.4
ip-10-0-1-148     Ready    control-plane,etcd,master   8h    v1.24.0+rke2r1   10.0.1.148    <none>        Ubuntu 20.04.2 LTS               5.4.0-1045-aws    containerd://1.6.4-k3s1
ip-10-0-1-72      Ready    <none>                      8h    v1.24.0+rke2r1   10.0.1.72     <none>        Ubuntu 20.04.2 LTS               5.4.0-1045-aws    containerd://1.6.4-k3s1

With the latest commit, it's working!

brandond
brandond requested changes May 19, 2022
View reviewed changes
pkg/rke2/clusterrole_bootstrap.go Outdated Show resolved Hide resolved
phillipsj
phillipsj approved these changes May 19, 2022
View reviewed changes
Copy link
Contributor

@phillipsj phillipsj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@rosskirkpat rosskirkpat requested a review from brandond May 19, 2022 23:00
@rosskirkpat rosskirkpat merged commit 562228e into rancher:master May 20, 2022
@rosskirkpat rosskirkpat deleted the bug/calico-sa-token-fix-1.24 branch May 20, 2022 10:57
@rosskirkpat rosskirkpat mentioned this pull request May 20, 2022
Closed
10 tasks
@brandond brandond mentioned this pull request Oct 11, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brandond brandond brandond approved these changes

@phillipsj phillipsj phillipsj approved these changes

@luthermonson luthermonson luthermonson approved these changes

Assignees

@rosskirkpat rosskirkpat

Labels
area/windows kind/bug Something isn't working
Projects
None yet
Milestone
v1.24.1+rke2r1
Development

Successfully merging this pull request may close these issues.
4 participants
@rosskirkpat @brandond @phillipsj @luthermonson