Initial allocation of several maps as the sizes are known
Signed-off-by: Adrián Orive <adrian.orive.oneca@gmail.com>
Kubernetes-commit: 2299f45f52464beff889fce7be1f66642a92b791
Ensure that bootstrap+clientcert-rotation in the Kubelet can:
1. happen in the background so that static pods aren't blocked by bootstrap
2. collapse down to a single call path for requesting a CSR
3. reorganize the code to allow future flexibility in retrieving bootstrap creds
Fetching the first certificate and later certificates when the kubelet
is using client rotation and bootstrapping should share the same code
path. We also want to start the Kubelet static pod loop before
bootstrapping completes. Finally, we want to take an incremental step
towards improving how the bootstrap credentials are loaded from disk
(potentially allowing for a CLI call to get credentials, or a remote
plugin that better integrates with cloud providers or KSMs).
Reorganize how the kubelet client config is determined. If rotation is
off, simplify the code path. If rotation is on, load the config
from disk, and then pass that into the cert manager. The cert manager
creates a client each time it tries to request a new cert.
Preserve existing behavior where:
1. bootstrap kubeconfig is used if the current kubeconfig is invalid/expired
2. we create the kubeconfig file based on the bootstrap kubeconfig, pointing to
the location that new client certs will be placed
3. the newest client cert is used once it has been loaded
Kubernetes-commit: 0af19875add7deb562b2cf7bf6b1d273c44bab1b
update bazel and fix goftm
use defaultStorageAccountKind
fix test failure
update godep license file
fix staging godeps issue
update staging godeps
fix comments, use one API call for file creation
Kubernetes-commit: bc2c79a43af1ad47218643c0a3b58b3388606336
certificate.FileStore only handles (cert, key) combined PEM files. This
PR allows (key, cert), which is what "openssl req -out foo.pem -keyout
foo.pem" generates.
Kubernetes-commit: 4b6a6a1cd5c8df83b3c51a03ecab975b82057489
With the current behavior, when kubelet starts, a `templateChanged`
event is always fired off because it only checks if `getLastRequest`
matches `getTemplate`. The last request only exists in memory and thus
is initially `nil` and can't ever match the current template during
startup.
This causes kubelet to request the signing of a new CSR every time it's
restarted. This commit changes the behavior so that `templateChanged` is
only fired off if the currently template doesn't match both the current
certificate and the last template.
Fixes#69471
Signed-off-by: Andrew Gunnerson <andrew.gunnerson@us.ibm.com>
Kubernetes-commit: b9ab65d689cc48353ca5dae9f210ff408726a0d2
Use `k8s.io/client-go/kubernetes/fake.Clientset` as the fake k8s client.
Signed-off-by: He Xiaoxi <xxhe@alauda.io>
Kubernetes-commit: a96a390d924d33ba7dda13761ff0eb1eb37a02b6
adds an address flag to kubectl port-forward to allow to bind to a different ip then localhost
Kubernetes-commit: 4643c6e95e0a0cf6561554fb3b9a1bc59bcead0c
If the permissions are not setup correctly the example fails.
Change-Id: I167ef68be66f8b56740236ae475c3b7fdcc0dfb5
Kubernetes-commit: d222c310aaa4ce8777094f4a37a920982aff794d
