Page MenuHomePhabricator
Create Task
Maniphest T280300

Validate that maintain-kubeusers works with k8s 1.18
Closed, ResolvedPublic
Actions

Description

Usually, you'd spin up a cluster with the version of k8s on minikube for this task and ensure that the tests pass, following the instructions in the README for https://gerrit.wikimedia.org/g/labs/tools/maintain-kubeusers/+/refs/heads/master

If they don't pass, you'll need to check the errors and changelogs for 1.18 to find out why. It's usually api version changes, but it can be the python-kubernetes client getting too old (it is out of date as is).

If it cannot be run on 1.18 because it is too old, you can validate against 1.19 usually since anything that works on 1.19 should work on 1.18. Deploying to toolsbeta and creating a new tool there (which is only possible for WMCS staff at this time) is the final confirmation before building the image with the :latest tag and deploying to tools.

Details

SubjectRepoBranchLines +/-
Add RBAC rules to allow using certificate signerslabs/tools/maintain-kubeusersmaster+401 -338
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bstorm created this task.Apr 15 2021, 10:19 PM
taavi claimed this task.Apr 16 2021, 6:57 AM
Restricted Application added a project: User-Majavah. · View Herald TranscriptApr 16 2021, 6:57 AM
taavi added a comment.Apr 16 2021, 7:31 AM

Minikube is refusing to start a 1.18 env for me so I'm testing with 1.19. tests/test_api.py is failing all tests, certificatesigningrequests.certificates.k8s.io \"tool-blurp\" is forbidden: user not permitted to approve requests with signerName \"kubernetes.io/legacy-unknown\". Kubernetes has the concept of a "certificate signer" and starting with 1.18 the service account approving the CSR must have access to use that specific approver, we don't grant that. Kubernetes 1.19 will introduce the stable v1 of the certificates API which disallows the use of the default "kubernetes.io/legacy-unknown" signer. 1.18 still supports the legacy one, but given the new ones are already available, I believe kubernetes.io/kube-apiserver-client is correct for these client certs.

gerritbot added a comment.Apr 16 2021, 8:01 AM

Change 680244 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/tools/maintain-kubeusers@master] Add RBAC rules to allow using certificate signers

https://gerrit.wikimedia.org/r/680244

gerritbot added a project: Patch-For-Review.Apr 16 2021, 8:01 AM
taavi added a comment.Apr 16 2021, 8:04 AM

It won't be as easy as I would have hoped for, mostly because the Python k8s library is behind k8s releases and does not support some of the features that I would want it to, namely specifying the certificate signer or the stable certificates/v1 api. The current setup (see patch) will work until 1.22.

taavi mentioned this in T280299: Upgrade Toolforge Kubernetes to latest 1.18.Apr 16 2021, 8:12 AM
Bstorm added a comment.Apr 16 2021, 3:47 PM
In T280300#7008122, @Majavah wrote:

Minikube is refusing to start a 1.18 env for me so I'm testing with 1.19. tests/test_api.py is failing all tests, certificatesigningrequests.certificates.k8s.io \"tool-blurp\" is forbidden: user not permitted to approve requests with signerName \"kubernetes.io/legacy-unknown\". Kubernetes has the concept of a "certificate signer" and starting with 1.18 the service account approving the CSR must have access to use that specific approver, we don't grant that. Kubernetes 1.19 will introduce the stable v1 of the certificates API which disallows the use of the default "kubernetes.io/legacy-unknown" signer. 1.18 still supports the legacy one, but given the new ones are already available, I believe kubernetes.io/kube-apiserver-client is correct for these client certs.

Great catch!

Bstorm added a comment.Apr 16 2021, 3:48 PM
In T280300#7008144, @Majavah wrote:

It won't be as easy as I would have hoped for, mostly because the Python k8s library is behind k8s releases and does not support some of the features that I would want it to, namely specifying the certificate signer or the stable certificates/v1 api. The current setup (see patch) will work until 1.22.

Yes, the python client is lagging behind badly. This may need to be rewritten in golang if that keeps up.

taavi triaged this task as Medium priority.Apr 17 2021, 9:03 AM
gerritbot added a comment.Apr 20 2021, 7:17 PM

Change 680244 merged by jenkins-bot:

[labs/tools/maintain-kubeusers@master] Add RBAC rules to allow using certificate signers

https://gerrit.wikimedia.org/r/680244

taavi mentioned this in rLTMK620412d6b103: Add RBAC rules to allow using certificate signers.Apr 20 2021, 7:36 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 20 2021, 8:11 PM
Stashbot added a comment.Apr 20 2021, 9:49 PM

Mentioned in SAL (#wikimedia-cloud) [2021-04-20T21:49:57Z] <bstorm> tagged the latest maintain-kubeusers and deployed to toolforge (with kustomize changes to rbac) after testing in toolsbeta T280300

taavi closed this task as Resolved.Jun 9 2021, 5:39 AM

Done by creating a new tool test7 on toolsbeta.

taavi mentioned this in T286857: Update maintain-kubeusers to certificates/v1 api.Jul 18 2021, 7:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL