Page MenuHomePhabricator

Update maintain-kubeusers to certificates/v1 api
Closed, ResolvedPublic


Maintain-kubeusers is using certificates/v1beta1, it needs to be updated to certificates/v1 before updating to Kubernetes 1.22. As of T280300 the Python API bindings we were using unfortunately did not support that API yet.

Event Timeline

nskaggs raised the priority of this task from Low to Medium.

certificates/v1 comes with some interesting problems. For one, you need to include the singerName field or it yells at you. Usually, that's just signerName: affect. However, I'm not getting a certificate out the other side when I do that in toolsbeta. I don't know if that's because toolsbeta is broken or something else.

Turns out there is a new kubernetes-client/python release that at least appears to support the stable certificates v1 API.

Change 737419 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/tools/maintain-kubeusers@master] Use stable certificates API

Change 737419 merged by jenkins-bot:

[labs/tools/maintain-kubeusers@master] Use stable certificates API

Mentioned in SAL (#wikimedia-cloud) [2021-11-16T10:28:29Z] <majavah> deploying maintain-kubeusers changes T286857