From b3f91f0c0288bcd60db33bcd48742079723e2347 Mon Sep 17 00:00:00 2001 From: Dave Chen Date: Wed, 12 Oct 2022 16:46:31 +0800 Subject: [PATCH] kubeadm: Enable `dry-run` mode for phase of `control-plane-prepare certs` - All certs will be created under the folder of `/etc/kubernetes/tmp/kubeadm-join-dryrunxxx` if the `dry-run` mode is enabled. - Try to make each phase idempotent by resetting the cert dir with `dry-run` mode Signed-off-by: Dave Chen --- .../app/cmd/phases/join/controlplaneprepare.go | 13 +++++++++---- cmd/kubeadm/app/phases/certs/certlist.go | 3 +++ cmd/kubeadm/app/phases/copycerts/copycerts.go | 2 ++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go b/cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go index 24e53adcfcb..ac5eac49f7f 100644 --- a/cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go +++ b/cmd/kubeadm/app/cmd/phases/join/controlplaneprepare.go @@ -108,6 +108,7 @@ func getControlPlanePreparePhaseFlags(name string) []string { options.TokenDiscoverySkipCAHash, options.TLSBootstrapToken, options.TokenStr, + options.DryRun, } case "kubeconfig": flags = []string{ @@ -230,10 +231,10 @@ func runControlPlanePrepareDownloadCertsPhaseLocal(c workflow.RunData) error { return err } - // If we're dry-running, download certs to tmp dir - if data.DryRun() { - cfg.CertificatesDir = data.CertificateWriteDir() - } + // If we're dry-running, download certs to tmp dir, and defer to restore to the path originally specified by the user + certsDir := cfg.CertificatesDir + cfg.CertificatesDir = data.CertificateWriteDir() + defer func() { cfg.CertificatesDir = certsDir }() client, err := bootstrapClient(data) if err != nil { @@ -264,6 +265,10 @@ func runControlPlanePrepareCertsPhaseLocal(c workflow.RunData) error { fmt.Printf("[certs] Using certificateDir folder %q\n", cfg.CertificatesDir) + // if dryrunning, write certificates files to a temporary folder (and defer restore to the path originally specified by the user) + certsDir := cfg.CertificatesDir + cfg.CertificatesDir = data.CertificateWriteDir() + defer func() { cfg.CertificatesDir = certsDir }() // Generate missing certificates (if any) return certsphase.CreatePKIAssets(cfg) } diff --git a/cmd/kubeadm/app/phases/certs/certlist.go b/cmd/kubeadm/app/phases/certs/certlist.go index f8edee04ce0..33539a9fdf2 100644 --- a/cmd/kubeadm/app/phases/certs/certlist.go +++ b/cmd/kubeadm/app/phases/certs/certlist.go @@ -21,10 +21,12 @@ import ( "crypto/x509" "fmt" "io" + "path/filepath" "github.com/pkg/errors" certutil "k8s.io/client-go/util/cert" + "k8s.io/klog/v2" kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" @@ -151,6 +153,7 @@ func (t CertificateTree) CreateTree(ic *kubeadmapi.InitConfiguration) error { continue } // CA key exists; just use that to create new certificates. + klog.V(1).Infof("[certs] Using the existing CA certificate %q and key %q\n", filepath.Join(ic.CertificatesDir, fmt.Sprintf("%s.crt", ca.BaseName)), filepath.Join(ic.CertificatesDir, fmt.Sprintf("%s.key", ca.BaseName))) } else { // CACert doesn't already exist, create a new cert and key. caCert, caKey, err = pkiutil.NewCertificateAuthority(cfg) diff --git a/cmd/kubeadm/app/phases/copycerts/copycerts.go b/cmd/kubeadm/app/phases/copycerts/copycerts.go index df35a82a59c..3c716695535 100644 --- a/cmd/kubeadm/app/phases/copycerts/copycerts.go +++ b/cmd/kubeadm/app/phases/copycerts/copycerts.go @@ -234,6 +234,8 @@ func DownloadCerts(client clientset.Interface, cfg *kubeadmapi.InitConfiguration return errors.Wrap(err, "error decoding secret data with provided key") } + fmt.Printf("[download-certs] Saving the certificates to the folder: %q\n", cfg.CertificatesDir) + for certOrKeyName, certOrKeyPath := range certsToTransfer(cfg) { certOrKeyData, found := secretData[certOrKeyNameToSecretName(certOrKeyName)] if !found {