-
Notifications
You must be signed in to change notification settings - Fork 39.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Configure and install out-of-tree gcp credential provider #111495
Configure and install out-of-tree gcp credential provider #111495
Conversation
@ndixita: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @ndixita. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/milestone v1.26 |
@ndixita: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@ndixita: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cc @ruiwen-zhao |
/ok-to-test |
/retest |
/cc @bobbypage |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for working on this! Left a few comments
1cce947
to
e0b72d0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates, just a few small comments.
cluster/gce/gci/configure.sh
Outdated
local auth_config_file="${KUBE_HOME}/cri_auth_config.yaml" | ||
cat >> "${auth_config_file}" << EOF | ||
kind: CredentialProviderConfig | ||
apiVersion: kubelet.config.k8s.io/v1alpha1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should the api version be /v1beta1
?
cluster/gce/gci/configure.sh
Outdated
@@ -644,6 +683,16 @@ function install-kube-binary-config { | |||
log-wrap "RemountFlexVolume" remount-flexvolume-directory "${VOLUME_PLUGIN_DIR}" | |||
fi | |||
|
|||
# When ENABLE_AUTH_PROVIDER_GCP is set, following flags for out-of-tree credential provider for GCP | |||
# are presented to kubelet: | |||
# --feature-gates=DisableKubeletCloudCredentialProviders=true,KubeletCredentialProviders=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment regarding feature gate being enabled automatically with ENABLE_AUTH_PROVIDER_GCP
is no longer true (maybe note that it is required that those two feature gates should be enabled)
cluster/gce/gci/configure.sh
Outdated
@@ -546,6 +548,43 @@ function install-containerd-ubuntu { | |||
sudo systemctl start containerd | |||
} | |||
|
|||
function install-auth-provider-gcp { | |||
local -r auth_provider_tar="auth-provider-gcp-${DEFAULT_AUTH_PROVIDER_GCP_VERSION}-${HOST_PLATFORM}_amd64.tar.gz" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of hardcoding _amd64.tar.gz
, I would use the use ${HOST_ARCH}
(so we can expand it to other arch later if needed).
i.e. follow same naming scheme as NPD:
local -r npd_tar="node-problem-detector-${npd_version}-${HOST_PLATFORM}_${HOST_ARCH}.tar.gz"
https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/gci/configure.sh#L290
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, ndixita The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
e0b72d0
to
d1deca1
Compare
/retest |
Thanks for the updates! /lgtm |
the alpha e2e job has been red for about 3 days, corresponding roughly with when this PR merged... is there any config in the alpha job that would cause problems with this configuration? |
trying the alpha e2e job with #112075 reverting this change to see if that resolves the bring-up error |
This PR is a no-op unless ENABLE_AUTH_PROVIDER_GCP is set. And I dont think any test job has set up ENABLE_AUTH_PROVIDER_GCP yet. |
For tracking purposes, this PR is for kubernetes/enhancements#2133 |
What type of PR is this?
/kind feature
/sig node
/sig testing
What this PR does / why we need it:
This PR adds GCP-specific implementation for tests to validate external credential provider feature in order to promote the feature to GA. Changes include:
Special notes for your reviewer:
Does this PR introduce a user-facing change?