<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Hi there,</p>
    <p>For people who maybe still interested in this issue. I have
      proposed a patch, see <a class="moz-txt-link-freetext" href="https://review.openstack.org/576029">https://review.openstack.org/576029</a> And I
      have verified with Sonobuoy for both multi masters (3 master
      nodes) and single master clusters, all worked. Any comments will
      be appreciated. Thanks.<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 21/05/18 01:22, Sergey Filatov
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:F9387F28-32E9-4B20-A84F-3A9E4B51B131@gmail.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      Hi!
      <div class="">I’d like to initiate a discussion about this bug:
        [1].</div>
      <div class="">To resolve this issue we need to generate a secret
        cert and pass it to master nodes. We also need to store it
        somewhere to support scaling.</div>
      <div class="">This issue is specific for kubernetes drivers.
        Currently in magnum we have a general cert manager which is the
        same for all the drivers.</div>
      <div class=""><br class="">
      </div>
      <div class="">What do you think about moving cert_manager logic
        into a driver-specific area?</div>
      <div class="">Having this common cert_manager logic forces us to
        generate client cert with “admin” and “system:masters” subject
        & organisation names [2], </div>
      <div class="">which is really something that we need only for
        kubernetes drivers.</div>
      <div class=""><br class="">
      </div>
      <div class="">[1] <a
          href="https://bugs.launchpad.net/magnum/+bug/1766546" class=""
          moz-do-not-send="true">https://bugs.launchpad.net/magnum/+bug/1766546</a></div>
      <div class="">[2] <a
href="https://github.com/openstack/magnum/blob/2329cb7fb4d197e49d6c07d37b2f7ec14a11c880/magnum/conductor/handlers/common/cert_manager.py#L59-L64"
          class="" moz-do-not-send="true">https://github.com/openstack/magnum/blob/2329cb7fb4d197e49d6c07d37b2f7ec14a11c880/magnum/conductor/handlers/common/cert_manager.py#L59-L64</a></div>
      <div class=""><br class="">
      </div>
      <div class=""><br class="">
      </div>
      <div class="">
        <div class="">
          <div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);
            font-family: Helvetica; font-size: 12px; font-style: normal;
            font-variant-caps: normal; font-weight: normal;
            letter-spacing: normal; orphans: auto; text-align: start;
            text-indent: 0px; text-transform: none; white-space: normal;
            widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
            auto; -webkit-text-stroke-width: 0px; text-decoration:
            none;">..Sergey Filatov</div>
          <div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);
            font-family: Helvetica; font-size: 12px; font-style: normal;
            font-variant-caps: normal; font-weight: normal;
            letter-spacing: normal; orphans: auto; text-align: start;
            text-indent: 0px; text-transform: none; white-space: normal;
            widows: auto; word-spacing: 0px; -webkit-text-size-adjust:
            auto; -webkit-text-stroke-width: 0px; text-decoration:
            none;" class=""><br class="">
          </div>
          <br class="Apple-interchange-newline">
        </div>
        <div><br class="">
          <blockquote type="cite" class="">
            <div class="">On 20 Apr 2018, at 20:57, Sergey Filatov <<a
                href="mailto:s.s.filatov94@gmail.com" class=""
                moz-do-not-send="true">s.s.filatov94@gmail.com</a>>
              wrote:</div>
            <br class="Apple-interchange-newline">
            <div class="">
              <div class="">Hello,<br class="">
                <br class="">
                I looked into k8s drivers for magnum I see that each
                api-server on master node generates it’s own
                service-account-key-file. This causes issues with
                service-accounts authenticating on api-server. (In case
                api-server endpoint moves).<br class="">
                As far as I understand we should have either all
                api-server keys synced on api-servesr or pre-generate
                single api-server key.<br class="">
                <br class="">
                What is the way for magnum to get over this issue?</div>
            </div>
          </blockquote>
        </div>
        <br class="">
      </div>
      <!--'"--><br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Cheers & Best regards,
Feilong Wang (王飞龙)
--------------------------------------------------------------------------
Senior Cloud Software Engineer
Tel: +64-48032246
Email: <a class="moz-txt-link-abbreviated" href="mailto:flwang@catalyst.net.nz">flwang@catalyst.net.nz</a>
Catalyst IT Limited
Level 6, Catalyst House, 150 Willis Street, Wellington
-------------------------------------------------------------------------- </pre>
  </body>
</html>