Update maintain-kubeusers to certificates/v1 api
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	taavi
	Jul 18 2021, 7:32 AM

Description

Maintain-kubeusers is using certificates/v1beta1, it needs to be updated to certificates/v1 before updating to Kubernetes 1.22. As of T280300 the Python API bindings we were using unfortunately did not support that API yet.

Details

	Subject	Repo	Branch	Lines +/-
	Use stable certificates API	labs/tools/maintain-kubeusers	master	+2 K -1 K

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Open	None	T359641 [infra,k8s] Upgrade Toolforge Kubernetes to version 1.27
Open	None	T327025 Upgrade Toolforge Kubernetes to version 1.26
Open	None	T316107 Upgrade Toolforge Kubernetes to version 1.25
Resolved	aborrero	T307651 Upgrade Toolforge Kubernetes to version 1.24
Resolved	taavi	T298005 Upgrade Toolforge Kubernetes to version 1.23
Resolved	taavi	T286856 Upgrade Toolforge Kubernetes to latest 1.22
Resolved	taavi	T286857 Update maintain-kubeusers to certificates/v1 api
Resolved	Bstorm	T289390 Certificate generation is broken in toolsbeta

Event Timeline

taavi created this task.Jul 18 2021, 7:32 AM

• nskaggs triaged this task as Low priority.Aug 10 2021, 4:25 PM

• nskaggs raised the priority of this task from Low to Medium.

certificates/v1 comes with some interesting problems. For one, you need to include the singerName field or it yells at you. Usually, that's just signerName: kubernetes.io/kube-apiserver-client affect. However, I'm not getting a certificate out the other side when I do that in toolsbeta. I don't know if that's because toolsbeta is broken or something else.

Bstorm added a subtask: T289390: Certificate generation is broken in toolsbeta.Aug 21 2021, 12:08 AM

Bstorm closed subtask T289390: Certificate generation is broken in toolsbeta as Resolved.Aug 21 2021, 12:22 AM

Bstorm mentioned this in T286856: Upgrade Toolforge Kubernetes to latest 1.22.Sep 30 2021, 7:05 PM

Turns out there is a new kubernetes-client/python release that at least appears to support the stable certificates v1 API.

Change 737419 had a related patch set uploaded (by Majavah; author: Majavah):

[labs/tools/maintain-kubeusers@master] Use stable certificates API

https://gerrit.wikimedia.org/r/737419

gerritbot added a project: Patch-For-Review.Nov 8 2021, 4:03 PM

Change 737419 merged by jenkins-bot:

[labs/tools/maintain-kubeusers@master] Use stable certificates API

https://gerrit.wikimedia.org/r/737419

Mentioned in SAL (#wikimedia-cloud) [2021-11-16T10:28:29Z] <majavah> deploying maintain-kubeusers changes T286857