According to kubeadm repo ticket 1665, /etc/pki
can contain subdirectories with private keys on some distros.
Avoid mounting the entire /etc/pki and mount /etc/pki/ca-trust
and /etc/pki/tls/certs instead. These directories are mounted
as an extra locations which can be used to search
for additional system CAs.
Currently, there are some unit tests that are failing on
Windows due to various reasons:
- time.Now() is not as precise on Windows, which means that
2 consecutive calls may return the same timestamp.
- Different "File not found" error messages on Windows.
- The default Container Runtime URL scheme on Windows is npipe, not unix.
StaticPodMirroringTimeout and StaticPodMirroringRetryInterval
are use for just an API call to get Pods(). The already existing
constants.KubernetesAPICallRetryInterval
and kubeadmapi.GetActiveTimeouts().KubernetesAPICall.Duration
can be used for that instead.
Follow the same process of adding the Timeouts struct
to UpgradeConfiguration similarly to how it was done for
other API Kinds.
In the Timeouts struct include one new timeout:
- UpgradeManifests
When the flag is defaulted before writing the apiserver manifest,
the input "cfg" object should not be mutated.
If the "cfg" is mutated, the upload ClusterConfiguration
to the cluster will include the defaulting, which is not
needed.
The idempotency.go (perhaps not so accurately named) contains
API calls that kubeadm does against an API server using client-go.
Some users seem to have unstable setups where for unknown reasons
the API server can be unavailable or refuse to respond as expected.
Use PollUntilContextTimeout in all exported functions to ensure
such API calls are all retry-able.
NOTE: The context passed to PollUntilContextTimeout is not propagated
in the polled function. Instead the poll function creates it's own
context 'ctx := context.Background()', this is to avoid
breaking expectations on the side of the callers, that expect
a certain type of error and not "context timeout" errors.
Additional changes:
- Make all context.TODO() -> context.Background()
- Update all unit tests and make sure during testing the retry
interval and timeout are short. Test coverage of idempotency.go
is at ~97%.
- Remove the TestMutateConfigMapWithConflict test. It does not
contribute much, because conflict handling is done at the API,
server side, not on the side of kubeadm. This simulating this is not
needed.
WaitForAllControlPlaneComponents is a new feature gate
that can be used to tell kubeadm to wait for all control plane
components and not only kube-apiserver.
- Add the Waiter function WaitForControlPlaneComponents
that waits for all CP components in parallel. Uses the regular
healthz endpoint for checks of status 200.
- Add a new experimental phase to kubeadm join called "wait-control-plane".
A similar phase exists for kubeadm init.
During initialization `kubeadm init` creates kubelet.conf with
specified name and during finalize phase validates that
this kubeconfig is not corrupted by checking for presence of specific
authinfo
However:
* kubelet doesn't require a specific name for this context
* in external CA mode this kubeconfig can be created outside of
`kubeadm init`
This change updates kubeadm finalize stage to avoid overly strict
context check.
