[openstack-dev] [magnum] K8S apiserver key sync

Spyros Trigazis strigazi at gmail.com
Mon Apr 23 08:18:35 UTC 2018


Hi Sergey,

In magnum queens we can set the private ca as a service account key.
Here [1] we can set the ca.key file. When the label cert_manager_api is
set to true.

Cheers,
Spyros

[1]
https://github.com/openstack/magnum/blob/master/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh#L32

On 20 April 2018 at 19:57, Sergey Filatov <s.s.filatov94 at gmail.com> wrote:

> Hello,
>
> I looked into k8s drivers for magnum I see that each api-server on master
> node generates it’s own service-account-key-file. This causes issues with
> service-accounts authenticating on api-server. (In case api-server endpoint
> moves).
> As far as I understand we should have either all api-server keys synced on
> api-servesr or pre-generate single api-server key.
>
> What is the way for magnum to get over this issue?
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180423/87b31819/attachment.html>


More information about the OpenStack-dev mailing list