Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure and install out-of-tree gcp credential provider #111495

Merged
merged 1 commit into from
Aug 24, 2022

Conversation

ndixita
Copy link
Contributor

@ndixita ndixita commented Jul 28, 2022

What type of PR is this?

/kind feature
/sig node
/sig testing

What this PR does / why we need it:

This PR adds GCP-specific implementation for tests to validate external credential provider feature in order to promote the feature to GA. Changes include:

  1. A new environment variable ENABLE_AUTH_PROVIDER_GCP.
  2. The functionality to configure and install out-of-tree GCP auth provider binary built from https://github.com/kubernetes/cloud-provider-gcp/blob/master/cmd/auth-provider-gcp/BUILD#L11 and hosted on a public storage https://storage.googleapis.com/cloud-provider-gcp/auth-provider-gcp-linux_amd64.tar.gz. when environment variable ENABLE_AUTH_PROVIDER_GCP is set.

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 28, 2022
@k8s-ci-robot
Copy link
Contributor

@ndixita: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 28, 2022
@k8s-ci-robot
Copy link
Contributor

Hi @ndixita. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-priority Indicates a PR lacks a `priority/foo` label and requires one. label Jul 28, 2022
@ndixita
Copy link
Contributor Author

ndixita commented Jul 28, 2022

/milestone v1.26

@k8s-ci-robot
Copy link
Contributor

@ndixita: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v1.25

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added area/provider/gcp Issues or PRs related to gcp provider sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 28, 2022
@k8s-ci-robot k8s-ci-robot requested review from marseel and roycaihw July 28, 2022 07:53
@k8s-ci-robot
Copy link
Contributor

@ndixita: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@ndixita
Copy link
Contributor Author

ndixita commented Jul 28, 2022

/cc @ruiwen-zhao

@k8s-ci-robot k8s-ci-robot requested a review from ruiwen-zhao July 28, 2022 08:03
@dims
Copy link
Member

dims commented Jul 28, 2022

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Jul 28, 2022
@ndixita
Copy link
Contributor Author

ndixita commented Jul 28, 2022

/retest

@ndixita
Copy link
Contributor Author

ndixita commented Jul 28, 2022

/cc @bobbypage

@k8s-ci-robot k8s-ci-robot requested a review from bobbypage July 28, 2022 21:21
Copy link
Member

@bobbypage bobbypage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this! Left a few comments

cluster/gce/util.sh Outdated Show resolved Hide resolved
cluster/gce/util.sh Outdated Show resolved Hide resolved
cluster/gce/config-default.sh Show resolved Hide resolved
cluster/gce/gci/configure.sh Outdated Show resolved Hide resolved
cluster/gce/gci/configure.sh Show resolved Hide resolved
cluster/gce/gci/configure.sh Outdated Show resolved Hide resolved
Copy link
Member

@bobbypage bobbypage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates, just a few small comments.

local auth_config_file="${KUBE_HOME}/cri_auth_config.yaml"
cat >> "${auth_config_file}" << EOF
kind: CredentialProviderConfig
apiVersion: kubelet.config.k8s.io/v1alpha1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the api version be /v1beta1?

@@ -644,6 +683,16 @@ function install-kube-binary-config {
log-wrap "RemountFlexVolume" remount-flexvolume-directory "${VOLUME_PLUGIN_DIR}"
fi

# When ENABLE_AUTH_PROVIDER_GCP is set, following flags for out-of-tree credential provider for GCP
# are presented to kubelet:
# --feature-gates=DisableKubeletCloudCredentialProviders=true,KubeletCredentialProviders=true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment regarding feature gate being enabled automatically with ENABLE_AUTH_PROVIDER_GCP is no longer true (maybe note that it is required that those two feature gates should be enabled)

@@ -546,6 +548,43 @@ function install-containerd-ubuntu {
sudo systemctl start containerd
}

function install-auth-provider-gcp {
local -r auth_provider_tar="auth-provider-gcp-${DEFAULT_AUTH_PROVIDER_GCP_VERSION}-${HOST_PLATFORM}_amd64.tar.gz"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of hardcoding _amd64.tar.gz, I would use the use ${HOST_ARCH} (so we can expand it to other arch later if needed).

i.e. follow same naming scheme as NPD:

local -r npd_tar="node-problem-detector-${npd_version}-${HOST_PLATFORM}_${HOST_ARCH}.tar.gz"

https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure.sh#L290

@dchen1107 dchen1107 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Aug 16, 2022
@dchen1107 dchen1107 added this to the v1.26 milestone Aug 16, 2022
@dchen1107
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 16, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dchen1107, ndixita

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 16, 2022
@ndixita ndixita force-pushed the node-e2e-gcp-cred-provider branch from e0b72d0 to d1deca1 Compare August 23, 2022 01:00
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2022
@ndixita
Copy link
Contributor Author

ndixita commented Aug 23, 2022

/retest

@bobbypage
Copy link
Member

Thanks for the updates!

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 24, 2022
@k8s-ci-robot k8s-ci-robot merged commit 5fa65e9 into kubernetes:master Aug 24, 2022
@liggitt
Copy link
Member

liggitt commented Aug 26, 2022

the alpha e2e job has been red for about 3 days, corresponding roughly with when this PR merged... is there any config in the alpha job that would cause problems with this configuration?

https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-cloud-provider/gcp/gcp-gce.yaml#L340-L384

@liggitt
Copy link
Member

liggitt commented Aug 26, 2022

trying the alpha e2e job with #112075 reverting this change to see if that resolves the bring-up error

@ruiwen-zhao
Copy link
Contributor

This PR is a no-op unless ENABLE_AUTH_PROVIDER_GCP is set. And I dont think any test job has set up ENABLE_AUTH_PROVIDER_GCP yet.

@ruiwen-zhao
Copy link
Contributor

For tracking purposes, this PR is for kubernetes/enhancements#2133

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/gcp Issues or PRs related to gcp provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants