Maintain-kubeusers is using certificates/v1beta1, it needs to be updated to certificates/v1 before updating to Kubernetes 1.22. As of T280300 the Python API bindings we were using unfortunately did not support that API yet.
Description
Description
Details
Details
| Project | Branch | Lines +/- | Subject | |
|---|---|---|---|---|
| labs/tools/maintain-kubeusers | master | +2 K -1 K | Use stable certificates API |
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T327025 Upgrade Toolforge Kubernetes to version 1.26 | |||
| Open | None | T316107 Upgrade Toolforge Kubernetes to version 1.25 | |||
| Open | None | T307651 Upgrade Toolforge Kubernetes to version 1.24 | |||
| Open | None | T298005 Upgrade Toolforge Kubernetes to version 1.23 | |||
| Resolved | taavi | T286856 Upgrade Toolforge Kubernetes to latest 1.22 | |||
| Resolved | taavi | T286857 Update maintain-kubeusers to certificates/v1 api | |||
| Resolved | Bstorm | T289390 Certificate generation is broken in toolsbeta |
Event Timeline
Comment Actions
certificates/v1 comes with some interesting problems. For one, you need to include the singerName field or it yells at you. Usually, that's just signerName: kubernetes.io/kube-apiserver-client affect. However, I'm not getting a certificate out the other side when I do that in toolsbeta. I don't know if that's because toolsbeta is broken or something else.
Comment Actions
Turns out there is a new kubernetes-client/python release that at least appears to support the stable certificates v1 API.
Comment Actions
Change 737419 had a related patch set uploaded (by Majavah; author: Majavah):
[labs/tools/maintain-kubeusers@master] Use stable certificates API
Comment Actions
Change 737419 merged by jenkins-bot:
[labs/tools/maintain-kubeusers@master] Use stable certificates API
Comment Actions
Mentioned in SAL (#wikimedia-cloud) [2021-11-16T10:28:29Z] <majavah> deploying maintain-kubeusers changes T286857