Add file paths to keys and certificates #28367
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
language/en
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: 0320d63 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/615f48d994915a0007ee34db 😎 Browse the preview: https://deploy-preview-28367--kubernetes-io-main-staging.netlify.app |
|
It looks like I need to crop the images better. I'll fix them and do a new commit. |
|
/cc |
|
Preview page: https://deploy-preview-28367--kubernetes-io-master-staging.netlify.app/docs/setup/best-practices/certificates/ |
|
@kubernetes/sig-auth-pr-reviews /hold for their review |
k8s-ci-robot
added
do-not-merge/hold
|
Would it be reasonable to mark this as a work-in-progress @chrisnegus ? I'm keen on adding diagrams; we're also keen to get the content and style of those diagrams right (content more than style, if I'm honest). |
|
@sftim My original thought was just to have an easy way to visualize the locations of the files described on this page. I went to some trouble creating the diagrams (even trying to match the Kubernetes color scheme). But the feedback from @fabriziopandini and others I've shown them to is that they needed to be simpler. I'm thinking of reducing this PR to tree output of the files described, as suggested, and leaving it at that. Perhaps we can get agreement on that fairly quickly without making it a WIP. |
k8s-ci-robot
added
size/M
|
When the branch changed to main, the netlify output moved as well. You can view the PR changes here: https://deploy-preview-28367--kubernetes-io-main-staging.netlify.app/docs/setup/best-practices/certificates/ |
|
/lgtm I see this change being minimal, @neolit123 do you think it requires a hold for @kubernetes/sig-auth-pr-reviews? Reverting or correcting the change seems to be similar low impact. |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: bb026f4a66ae0039616dfc036427e7eb13126bc2
|
Yes, it is this. Once you have divided the signers, you have to be sure the correct cert/key pairs are being signed and that the CAs match properly. |
|
Hi @chrisnegus What are your intentions with this PR? Would you like to get help from SIG Auth on revising this? |
It seems that the consensus is to change this visualization to a full path file view that can be copied and pasted. So I did that. If it not ready to merge at this point, I suggest we abandon the PR and move on to something else. |
|
These changes seem reasonable, they don't seem misleading. #28367 (comment) mentioned that “the locations are kubeadm specific” and I think that's still true. I also think that's fine given the added context that these are just examples. I'd still like a review on this from SIG Auth (@kubernetes/sig-auth-misc FYI) - see also #28367 (comment) |
I'd be glad to open a separate issue to address the concerns from #28367 (comment). Should we have @deads2k look at this again, with the understanding that his comment about separating CAs that sign server and client certificates could be addressed in another issue? |
| @@ -162,4 +198,11 @@ These files are used as follows: | |||
| | controller-manager.conf | kube-controller-manager | Must be added to manifest in `manifests/kube-controller-manager.yaml` | | |||
| | scheduler.conf | kube-scheduler | Must be added to manifest in `manifests/kube-scheduler.yaml` | | |||
|
|
|||
| The following illustrates the files listed in the previous table that contain client user certificates and keys: | |||
There was a problem hiding this comment.
Okay. I updated it to say: "The following files illustrate full paths to the files listed in the previous table:"
|
👋 @chrisnegus . |
I don't think any further review is needed since the technical reviewer has already agreed that simply having listings from the files illustrated in the tables was okay. There was one other, separate issue raised. But I'm going to add that to a separate issue. Once that is done, I'll note the new issue here. I would be happy if this could be merged. |
|
I added Issue 29962 to request the change described in the comment above |
There was a problem hiding this comment.
overall LGTM. this reflects the current state of kubeadm. as noted in the Certificate paths section the examples in this page seem to cover kubeadm mostly.
suggested to move https://github.com/kubernetes/website/issues/29962 to a k/kubeadm issue instead.
|
/retitle Add file paths to keys and certificates |
k8s-ci-robot
changed the title
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
Thanks @chrisnegus . |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 491c160d65e8ff86d7063891ebda994affa26408
|
The https://kubernetes.io/docs/setup/best-practices/certificates/ page provides excellent information on key and certificate files needed by Kubernetes. I felt it would help make it easier to consume that information if there were visual representations of the files contained in tables. So I added three tree outputs to illustrate:
This content is meant to address this issue: #28291