certs: only append locally discovered addresses when we get none from the cloudprovider

[mikedanese]

The cloudprovider is right, and only cloudprovider addresses can be verified centrally, so don't add any extra when we have them.

[k8s-ci-robot]

@mikedanese: Adding do-not-merge/release-note-label-needed because the release note process has not been followed.

One of the following labels is required "release-note", "release-note-action-required", or "release-note-none".
Please see: https://git.k8s.io/community/contributors/devel/pull-requests.md#write-release-notes-if-needed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[ericchiang]

How could these ever not have len() == 0? The var block above creates zero length slices.

[ericchiang]

Maybe

if len(cloudIPs) !=0 || len(cloudNames) != 0 {

[mikedanese]

Ya that's right. I'll add a test :)

[mikedanese]

Hmm, this function seems to be untested.

[ericchiang]

I would have expected the explicitly configured address to override the cloud provider discovered ones. What's the motivation for having discovered addresses override the explicit ones?

[mikedanese]

Ya, explicitly configured addresses should probably come first.

[ericchiang]

/lgtm

[tallclair]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ericchiang, mikedanese, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/kubelet/OWNERS [tallclair]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 54997, 61869, 61816, 61909, 60525). If you want to cherry-pick this change to another branch, please follow the instructions here.

[liggitt]

this doesn't work in combination with the way the kubelet reports addresses, which will fall back reporting a locally detected/overridden hostname address if the cloud provider doesn't specify one:

kubernetes/pkg/kubelet/kubelet_node_status.go

Lines 532 to 546 in ee2e11a

	// Only add a NodeHostName address if the cloudprovider did not specify one
	// (we assume the cloudprovider knows best)
	var addressNodeHostName *v1.NodeAddress
	for i := range nodeAddresses {
	if nodeAddresses[i].Type == v1.NodeHostName {
	addressNodeHostName = &nodeAddresses[i]
	break
	}
	}
	if addressNodeHostName == nil {
	hostnameAddress := v1.NodeAddress{Type: v1.NodeHostName, Address: kl.GetHostname()}
	nodeAddresses = append(nodeAddresses, hostnameAddress)
	} else {
	glog.V(2).Infof("Using Node Hostname from cloudprovider: %q", addressNodeHostName.Address)
	}

the kubelet needs to request a cert valid for the addresses it will report. it might be fine to omit the locally detected hostname in both places, but omitting only in one causes problems

[mikedanese]

cc @awly

[liggitt]

opened #65585 to see what happens if we apply the same logic to node status

[liggitt]

this doesn't seem to make sense... isn't hostnameOverride an "explicit configuration" as well? why would --node-ip trump the cloud provider, and not --hostname-override? I could see making the cloud provider completely authoritative, but the ordering here doesn't make sense to me

edit: retracing this, this address isn't --node-ip, it's --address. that makes even less sense to have it override the cloud-provider-specified addresses.

kubelet node status jumps through a ton of hoops to derive an IP address to report:

		// 1) Use nodeIP if set
		// 2) If the user has specified an IP to HostnameOverride, use it
		// 3) Lookup the IP from node name by DNS and use the first valid IPv4 address.
		//    If the node does not have a valid IPv4 address, use the first valid IPv6 address.
		// 4) Try to get the IP from the network interface used as default gateway
		if kl.nodeIP != nil {
			ipAddr = kl.nodeIP
		} else if addr := net.ParseIP(kl.hostname); addr != nil {
			ipAddr = addr
		} else {
			var addrs []net.IP
			addrs, _ = net.LookupIP(node.Name)
			for _, addr := range addrs {
				if err = kl.nodeIPValidator(addr); err == nil {
					if addr.To4() != nil {
						ipAddr = addr
						break
					}
					if addr.To16() != nil && ipAddr == nil {
						ipAddr = addr
					}
				}
			}

			if ipAddr == nil {
				ipAddr, err = utilnet.ChooseHostInterface()
			}
		}

unfortunately, we have to match that here when requesting certs

[liggitt]

Updated #65585 to make this match as well

[liggitt]

long-term (hopefully in 1.12), we want to switch the serving cert request to react to changes in the node status, so that the node always has a valid cert (or a pending csr) for the addresses in the node status. that lets us contain the crazy address-computing code to one place, and also drive node addresses via an external cloud provider

[liggitt]

long-term (hopefully in 1.12)

turns out it was easier than expected. see #65594