Multi-Master deployments for k8s driver use different service account keys
Bug #1766546 reported by
SFilatov
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Magnum |
New
|
Undecided
|
SFilatov |
Bug Description
Multi-Master deployments for k8s driver use different service account keys for each api/controller manager server which leads to 401 errors for service accounts.
we should set artifacts for service-
Changed in magnum: | |
assignee: | nobody → SFilatov (sergeyfilatov) |
To post a comment you must log in.
To get things clear about certificates in Kubernetes:
K8s api-server: key-file
1. apiserver tls certificate is generated on master nodes via make-cert.sh script and signed by ca(it will be different on each api server).
options:
--tls-cert-file
--tls-private-
2. ca.pem stored in magnum is deployed to master nodes via api call in make-cert.sh script. It is used to for user certificate authentication.
option:
--client-ca-file
3. service- account- key-file is used to verify sa secrets generated by controller-manager. Should be the same on each master node. It generally has nothing to do with ca. We basically need public key for that. account- key-file
option:
--service-
K8s controller-manager:
4. root-ca-file is ca.pem to be included in serviceaccount's secret.
option:
--root-ca-file
5. service- account- private- key-file is used to sign secrets and should be the same on each master node. Private key for a public one used in (3). account- private- key-file
option:
--service-
6. cluster signing pair is used in k8s to support signer api(https:/ /kubernetes. io/docs/ tasks/tls/ managing- tls-in- a-cluster/). We do need to specify both ca.pem and ca.key for that. Currently magnum exposes ca.key via user-data if cert_manager_api label is specified.
Here I assume that we are using a single ca for everything in a cluster.
Currently magnum uses apiserver key file for both service- account- private- key-file and service- account- key-file which is wrong for multimaster deployments.
I suggest we generate keypair on magnum side and deploy it to master nodes on boot.
I'm interested in community members opinions about this so lets have an open discussion