feat: add EnableSecureTLSBootstrapping to bootstrap config #3653
Conversation
cameronmeissner
temporarily deployed
to
test
GitHub Actions
Inactive
| // EnableSecureTLSBootstraping - when this feature is enabled we don't hard-code TLS bootstrap tokens at all, | ||
| // instead we create a modified bootstrap kubeconfig which points towards the STLS bootstrap client-go | ||
| // credential plugin installed on the VHD, which will be responsible for generating TLS bootstrap tokens on the fly | ||
| EnableSecureTLSBootstrapping bool |
There was a problem hiding this comment.
this will be set to false until enabled on the RP-side
Pull Request Test Coverage Report for Build 6343069414
💛 - Coveralls |
pkg/agent/baker.go
Outdated
| @@ -379,7 +379,10 @@ func getContainerServiceFuncMap(config *datamodel.NodeBootstrappingConfiguration | |||
| return IsKubeletConfigFileEnabled(cs, profile, config.EnableKubeletConfigFile) | |||
| }, | |||
| "IsKubeletClientTLSBootstrappingEnabled": func() bool { | |||
| return IsKubeletClientTLSBootstrappingEnabled(config.KubeletClientTLSBootstrapToken) | |||
| return config.EnableSecureTLSBootstrapping || IsKubeletClientTLSBootstrappingEnabled(config.KubeletClientTLSBootstrapToken) | |||
There was a problem hiding this comment.
since we're OR'ing, EnableSecureTLSBootstrapping being false won't affect the overall value
There was a problem hiding this comment.
clueless question - whats the difference between config having EnableSecureTLSBootstrapping set to true and IsKubeletClientTLSBootstrappingEnabled returning true?
There was a problem hiding this comment.
basically, EnableSecureTLSBootstrap will be true when we are doing TLS bootstrapping but we're NOT using a hard-coded token, IsKubeletClientTLSBootstrappingEnabled() will be true when the node bootstrapping config we get from RP includes a hard-coded token, also implying that we're doing TLS bootstrapping.
so IsKubeletClientTLSBootstrappingEnabled overall will return true when we're doing some form of TLS bootstrapping, whether that be the secure way or with a hard-coded token
There was a problem hiding this comment.
Thanks, makes sense - might be a good idea to add this as a comment somewhere maybe for the future reference?
There was a problem hiding this comment.
did some renaming to make this a bit more clear, also added comments :)
cameronmeissner
temporarily deployed
to
test
GitHub Actions
Inactive
cameronmeissner
temporarily deployed
to
test
GitHub Actions
Inactive
|
@alexeldeib , @cameronmeissner - Hey friends - when are y'all planning on releasing this? DB is planning on moving off of our custom AKS image (described in some detail here - #2815) - but we don't plan on being able to be fully off of it until the end of December. I'm wondering if there's a way to explicitly exclude our clusters or subscriptions (within the MSFT tenant) from this feature until we've completed that migration? |
Co-authored-by: Cameron Meissner <[email protected]>
What type of PR is this?
/kind feature
What this PR does / why we need it:
This is the initial PR for secure TLS bootstrap integration work. It simply adds a new property to the node bootstrapping configuration datamodel which specifies whether or not secure TLS bootstrapping is enabled by RP. Subsequent PRs will use this value to implement the secure TLS bootstrap-specific logic.
Which issue(s) this PR fixes:
Fixes #
Requirements:
Special notes for your reviewer:
Release note: