Skip to content

add kubeconfig file properly#3316

Merged
j3ffml merged 3 commits into
kubernetes:masterfrom
deads2k:deads-add-kubeconfig-file-properly
Jan 8, 2015
Merged

add kubeconfig file properly#3316
j3ffml merged 3 commits into
kubernetes:masterfrom
deads2k:deads-add-kubeconfig-file-properly

Conversation

@deads2k

@deads2k deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor

This restores #2861, but it has an additional commit to fix two problems with loading existing .kubernetes_auth files that caused the e2e failure forcing #3282.

  1. The Insecure options specified in a .kuberentes_auth file was clobbered by the insecure option in .kubeconfig. A test was added to be sure that this doesn't happen again.
  2. The default --auth-path flag value (~/.kubernetes_auth) was lost. Because kubectl.sh special cases a non-default --auth-path for vagrant, this went unnoticed. I've restored the default and manually tested to be sure that ~/.kuberentes_auth is now read by default if no other authentication information is provided.

@derekwaynecarr Can you please take a look?

@zmerlynn

zmerlynn commented Jan 8, 2015

Copy link
Copy Markdown
Member

Rebase? (I was about to double check the GKE provider as well but couldn't just yet.)

@deads2k

deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor Author

@zmerlynn rebasing now. Looks like f30846e indirectly changed how client.IsConfigTransportTLS() works. Now it requires a version. I'll add another commit to highlight the change I'm going to make there.

@deads2k

deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor Author

b03fbf9 rather.

@deads2k deads2k force-pushed the deads-add-kubeconfig-file-properly branch from 25dd3cf to cf462b3 Compare January 8, 2015 15:22
@deads2k

deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor Author

@smarterclayton The rebase required changes in pkg/client/helper.go where behavior of defaultServerUrlFor changed. You'll want to look at the last commit to see if you agree.

@zmerlynn

zmerlynn commented Jan 8, 2015

Copy link
Copy Markdown
Member

Hm. This may be clutter in my home directory, but:

Project: artful-fortress-786
... in detect-minions()
Running: gcloud preview container kubectl --project=artful-fortress-786 --zone=us-central1-f --cluster=zml-gke-e2e get minions -o template -t {{range.items}}{{.id}}
{{end}}
ERROR: F0108 07:38:17.676386    3552 get.go:58] more than one authentication method found for  .  Found [authFile clientCert], only one is allowed

As a note, I previously had both GCE and GKE E2E clusters up, so it may be confused. But ... is this some sort of upgrade behavior gone awry? (Sorry, just trying to vet this for cluster creation on the GKE provider, because it's about to get enabled on Jenkins.)

@zmerlynn

zmerlynn commented Jan 8, 2015

Copy link
Copy Markdown
Member

Yeah, I think this is currently failing to create clusters with the GKE provider (sorry). I removed ~/.kube* clutter from my home directory just to make sure I wasn't doing something wrong, then double checked ~/.config/gcloud/kubernetes after a go run ./hack/e2e.go -v -down to make sure we cleaned up there, and I'm still getting the above error on an attempt to -up.

@deads2k

deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor Author

@zmerlynn I'm most appreciative. Do you have a .kubeconfig file? One possibility is that you have a .kubeconfig file that specifies a client cert and you're also specifying a --auth-path or you could be trying to expression both --auth-path and --client-certificate .

I think it probably makes sense for me to eliminate the restriction of a single means of identification for now, to be revisited at a later time.

@zmerlynn

zmerlynn commented Jan 8, 2015

Copy link
Copy Markdown
Member

I need to disappear for the day, but perhaps @jlowdermilk or @mbforbes can help answer questions. I don't have a specific .kubeconfig file - this just a plain out-of-box config (that I tried to roll back to vanilla, but that's remarkably fidgety).

If you have Google Compute access, you should be able to run the GKE provider as well, so it's not too hard to test on your side. But yes, removing that restriction sounds wise. :)

@j3ffml j3ffml self-assigned this Jan 8, 2015
@j3ffml

j3ffml commented Jan 8, 2015

Copy link
Copy Markdown
Contributor

I can take a look. Attempting to run gce/gke e2e now.

@zmerlynn

zmerlynn commented Jan 8, 2015

Copy link
Copy Markdown
Member

@jlowdermilk: You may not want to assign unless you want to review the whole thing. :) I was just doing a sniff test on GKE cluster creation by taking the pull request into a local branch (since it broke GCE yesterday).

@zmerlynn

zmerlynn commented Jan 8, 2015

Copy link
Copy Markdown
Member

@deads2k: FWIW, I'm totally excited for this to land finally. Looking forward to parallel configs without having to hack around it.

@j3ffml

j3ffml commented Jan 8, 2015

Copy link
Copy Markdown
Contributor

@zmerlynn, yup, that's intentional, I reviewed most of this already in #2861.

@deads2k, for GKE at least, the problem is what you suggested. gcloud specifies both --auth-path and --client-certificate. It does this because it is using an older template of the kubernetes_auth file that contains only "User" and "Password". We can fix that in a future release, but for now, is it reasonable to allow both authFile and clientCert and merge them in that order?

@deads2k

deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor Author

@jlowdermilk I'm working on doing that now. I've got to get the different merge orders and defaulting correct. I'll have it this afternoon.

@deads2k deads2k force-pushed the deads-add-kubeconfig-file-properly branch 2 times, most recently from 6073f54 to 138254a Compare January 8, 2015 19:34
@deads2k

deads2k commented Jan 8, 2015

Copy link
Copy Markdown
Contributor Author

@jlowdermilk Rebased, clean travis, and my hack/e2e-test.sh using the GCE provider finished clean. You should definitely take the time to review "fixes e2e failure on gce with new .kubeconfig, kick travis". The loading rules are significantly more complex that they were in #2861, but I think I've broken them down enough to be understandable.

EDIT

2015/01/08 14:52:17 Passed tests: basic.sh[1/1] certs.sh[1/1] goe2e.sh[1/1] guestbook.sh[1/1] liveness.sh[1/1] monitoring.sh[1/1] pd.sh[1/1] private.sh[1/1] services.sh[1/1] update.sh[1/1]
2015/01/08 14:52:17 Flaky tests:
2015/01/08 14:52:17 Failed tests:
2015/01/08 14:52:17 Success!
2015/01/08 14:52:17 Running: teardown
Project: openshift-gce-devel

@deads2k deads2k force-pushed the deads-add-kubeconfig-file-properly branch from 138254a to 60a46e7 Compare January 8, 2015 21:31
@j3ffml

j3ffml commented Jan 8, 2015

Copy link
Copy Markdown
Contributor

LGTM

@j3ffml j3ffml added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2015
@smarterclayton

Copy link
Copy Markdown
Contributor

Ready to try again.... :)

j3ffml added a commit that referenced this pull request Jan 8, 2015
@j3ffml j3ffml merged commit b26dfac into kubernetes:master Jan 8, 2015
@deads2k deads2k deleted the deads-add-kubeconfig-file-properly branch January 9, 2015 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm "Looks good to me", indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants