[openstack-dev] [magnum] K8S apiserver key sync

Sergey Filatov s.s.filatov94 at gmail.com
Sun May 20 13:22:01 UTC 2018

I’d like to initiate a discussion about this bug: [1].
To resolve this issue we need to generate a secret cert and pass it to master nodes. We also need to store it somewhere to support scaling.
This issue is specific for kubernetes drivers. Currently in magnum we have a general cert manager which is the same for all the drivers.

What do you think about moving cert_manager logic into a driver-specific area?
Having this common cert_manager logic forces us to generate client cert with “admin” and “system:masters” subject & organisation names [2], 
which is really something that we need only for kubernetes drivers.

[1] https://bugs.launchpad.net/magnum/+bug/1766546 <https://bugs.launchpad.net/magnum/+bug/1766546>
[2] https://github.com/openstack/magnum/blob/2329cb7fb4d197e49d6c07d37b2f7ec14a11c880/magnum/conductor/handlers/common/cert_manager.py#L59-L64 <https://github.com/openstack/magnum/blob/2329cb7fb4d197e49d6c07d37b2f7ec14a11c880/magnum/conductor/handlers/common/cert_manager.py#L59-L64>

..Sergey Filatov

> On 20 Apr 2018, at 20:57, Sergey Filatov <s.s.filatov94 at gmail.com> wrote:
> Hello,
> I looked into k8s drivers for magnum I see that each api-server on master node generates it’s own service-account-key-file. This causes issues with service-accounts authenticating on api-server. (In case api-server endpoint moves).
> As far as I understand we should have either all api-server keys synced on api-servesr or pre-generate single api-server key.
> What is the way for magnum to get over this issue?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20180520/b0be4cc1/attachment.html>

More information about the OpenStack-dev mailing list