Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm certs check-expiration support json/yaml output #123372

Merged
merged 4 commits into from
Feb 22, 2024
Merged

kubeadm certs check-expiration support json/yaml output #123372

merged 4 commits into from
Feb 22, 2024

Conversation

carlory
Copy link
Member

@carlory carlory commented Feb 19, 2024
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

  1. text print will not be changed.
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 05, 2025 08:38 UTC   351d            ca                      no
apiserver                  Feb 05, 2025 08:38 UTC   351d            ca                      no
apiserver-etcd-client      Feb 05, 2025 08:38 UTC   351d            etcd-ca                 no
apiserver-kubelet-client   Feb 05, 2025 08:38 UTC   351d            ca                      no
controller-manager.conf    Feb 05, 2025 08:38 UTC   351d            ca                      no
etcd-healthcheck-client    Feb 05, 2025 08:38 UTC   351d            etcd-ca                 no
etcd-peer                  Feb 05, 2025 08:38 UTC   351d            etcd-ca                 no
etcd-server                Feb 05, 2025 08:38 UTC   351d            etcd-ca                 no
front-proxy-client         Feb 05, 2025 08:38 UTC   351d            front-proxy-ca          no
scheduler.conf             Feb 05, 2025 08:38 UTC   351d            ca                      no
super-admin.conf           Feb 05, 2025 08:38 UTC   351d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 03, 2034 08:38 UTC   9y              no
etcd-ca                 Feb 03, 2034 08:38 UTC   9y              no
front-proxy-ca          Feb 03, 2034 08:38 UTC   9y              no
  1. json print
{
    "kind": "CertificateExpirationInfo",
    "apiVersion": "output.kubeadm.k8s.io/v1alpha3",
    "certificates": [
        {
            "name": "admin.conf",
            "expirationDate": "2025-02-05T08:38:15Z",
            "residualTime": 30410401634330825,
            "externallyManaged": false,
            "caName": "ca",
            "missing": false
        },
      ...
    ],
    "certificateAuthorities": [
        {
            "name": "ca",
            "expirationDate": "2034-02-03T08:38:14Z",
            "residualTime": 314234400633287229,
            "externallyManaged": false,
            "missing": false
        },
    ...
    ]
}
  1. yaml print
apiVersion: output.kubeadm.k8s.io/v1alpha3
certificateAuthorities:
- expirationDate: 2025-02-05T08:38:15Z
  externallyManaged: false
  missing: false
  name: ca
  residualTime: 314234210341126462
...
certificates:
- caName: ca
  expirationDate: 2034-02-03T08:38:14Z
  externallyManaged: false
  missing: false
  name: admin.conf
  residualTime: 30410211342350352
...
kind: CertificateExpirationInfo

Which issue(s) this PR fixes:

Part of kubernetes/kubeadm#494

Special notes for your reviewer:

Does this PR introduce a user-facing change?

kubeadm: add support for machine readable output with "-o yaml" and "-o json" to the command "kubeadm certs check-expiration". This change is added in a new API "kind": "CertificateExpirationInfo",  "apiVersion": "output.kubeadm.k8s.io/v1alpha3". The existing non structured formatting is preserved. The output API version v1alpha2 is now deprecated and will be removed in a future release. Please migrate to using v1alpha3.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/issues/2504

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 19, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Feb 19, 2024
@k8s-ci-robot k8s-ci-robot added area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Feb 19, 2024
neolit123
neolit123 reviewed Feb 19, 2024
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

our "unwritten policy" is to make API changes in a new version.
so this has to go in v1alpha3 - a new API.

i will have a more detailed review pass once you complete that.

cmd/kubeadm/app/apis/output/v1alpha2/types.go Outdated Show resolved Hide resolved
@neolit123
Copy link
Member

neolit123 commented Feb 19, 2024
edited
Loading

i think the important part is to not break the CLI output (stdout) as some users were already parsing it . :/
it has to continue to exist exactly the way it is.

but for the new structured output we can make some new decisions for example a boolean option can be marshaled to true/false instead of "yes"/"no" strings.

@pacoxu pacoxu mentioned this pull request Feb 19, 2024
Closed
5 tasks
@carlory carlory force-pushed the fix-kubeadm-494 branch 2 times, most recently from 842e3d6 to 1e9f80c Compare February 19, 2024 10:45
@carlory carlory marked this pull request as ready for review February 19, 2024 10:45
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 19, 2024
@neolit123
Copy link
Member

/release-note-edit

kubeadm: add support for machine readable output with "-o yaml" and "-o json" to the command "kubeadm certs check-expiration". This change is added in a new API "kind": "ExpirationInfo",  "apiVersion": "output.kubeadm.k8s.io/v1alpha3". The existing non structured formatting is preserved. The output API version v1alpha2 is now deprecated and will be removed in a future release. Please migrate to using v1alpha3.

@neolit123
Copy link
Member

The output API version v1alpha2 is now deprecated and will be removed in a future release.

@carlory please add a `DEPRECATED: this API will be removed in a future release. Please use v1alpha3." text above this line:
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/output/v1alpha2/doc.go#L26

neolit123
neolit123 reviewed Feb 19, 2024
View reviewed changes
cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/output/v1alpha3/doc.go Show resolved Hide resolved
cmd/kubeadm/app/apis/output/types.go Show resolved Hide resolved
cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/output/v1alpha3/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs.go Outdated
}
w := tabwriter.NewWriter(out, 10, 4, 3, ' ', 0)
fmt.Fprintln(w, "CERTIFICATE\tEXPIRES\tRESIDUAL TIME\tCERTIFICATE AUTHORITY\tEXTERNALLY MANAGED")
info := &outputapiv1alpha3.ExpirationInfo{}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we move the whole code in a new helper function and add a unit test for it?
no need to be very verbose in the unit test, just test a basic JSON output scenario with some certs and CAs, maybe some missing certs too.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@neolit123 added a unit test for this command. please see https://github.com/kubernetes/kubernetes/compare/0b3e5411c83eef6f658d037eb4c5e0a3847df0fc..6ec538fc25c17a8c72855c8117865be9f1fb3524

@neolit123
Copy link
Member

neolit123 commented Feb 19, 2024
edited
Loading

/uncc @chendave
/cc @pacoxu

the API change already looks good. added some general rename/organization suggestions.

@k8s-ci-robot k8s-ci-robot removed the request for review from chendave February 19, 2024 14:26
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 21, 2024
@k8s-ci-robot k8s-ci-robot requested a review from pacoxu February 21, 2024 11:00
@carlory carlory force-pushed the fix-kubeadm-494 branch 3 times, most recently from d68b0b5 to afa9ab4 Compare February 21, 2024 11:15
neolit123
neolit123 reviewed Feb 21, 2024
View reviewed changes
cmd/kubeadm/app/cmd/certs_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs.go
if cfgPath == "" {
client, err := kubeconfigutil.ClientSetFromFile(kubeconfigPath)
if cfgPath == "" && client != nil {
internalcfg, err := configutil.FetchInitConfigurationFromCluster(client, printer, logPrefix, false, false)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@neolit123 if we give the printer to FetchInitConfigurationFromCluster, -o json will not print the message then.

I split the previous commit into two commits.

the first commit fixes the JSON output (-o json will not print the message)
the second commit adds some tests.

this seems OK, but can we also fix upgrade plan -o json?

@carlory
Copy link
Member Author

carlory commented Feb 21, 2024

This PR doesn't fix upgrade plan -o json issue. some messages are always printed. i.e [upgrade] Running cluster health checks

I can fix it in another PR after this PR is merged. @neolit123

@neolit123
Copy link
Member

This PR doesn't fix upgrade plan -o json issue. some messages are always printed. i.e [upgrade] Running cluster health checks

I can fix it in another PR after this PR is merged. @neolit123

thanks, ping me on that pr.
@pacoxu looks like we don't have users of the upgrade plan -o json, given we got no report about it.

neolit123
neolit123 reviewed Feb 21, 2024
View reviewed changes
cmd/kubeadm/app/cmd/certs_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/certs_test.go Outdated Show resolved Hide resolved
neolit123
neolit123 reviewed Feb 21, 2024
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested locally and it looks good.
added 2 minor comments / 1 question.

cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/apis/output/types.go Outdated Show resolved Hide resolved
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Feb 22, 2024
edited
Loading

@carlory: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-kubernetes-linter-hints 0c4df64 link false /test pull-kubernetes-linter-hints

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@carlory
Copy link
Member Author

carlory commented Feb 22, 2024

unrelated failures
/test pull-kubernetes-unit

@pacoxu
Copy link
Member

pacoxu commented Feb 22, 2024

/lgtm

This PR doesn't fix upgrade plan -o json issue. some messages are always printed. i.e [upgrade] Running cluster health checks

I can fix it in another PR after this PR is merged. @neolit123

Thanks.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 22, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: f68b696b1ffe0957766b792e1f474727d523fa7e

neolit123
neolit123 reviewed Feb 22, 2024
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @carlory
please ping me on the fix PR for "upgrade plan" when you send it.

/hold cancel
/lgtm

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 22, 2024
@neolit123
Copy link
Member 

cmd/kubeadm/app/cmd/certs.go:352:19: Error return value of `printer.Println` is not checked (errcheck)
			printer.Println() // add empty line to separate the FetchInitConfigurationFromCluster output from the command output
			               ^
cmd/kubeadm/app/cmd/certs.go:363:17: Error return value of `printer.Printf` is not checked (errcheck)
		printer.Printf("[%s] Error reading configuration from the Cluster. Falling back to default configuration\n\n", logPrefix)
		              ^

these can be fixed with _ = printer.Println()..

@k8s-ci-robot k8s-ci-robot merged commit ec58e1f into kubernetes:master Feb 22, 2024
13 of 14 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Feb 22, 2024
@carlory carlory mentioned this pull request Apr 18, 2024
Merged
@Payback159 Payback159 mentioned this pull request May 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@SataQiu SataQiu Awaiting requested review from SataQiu

@pacoxu pacoxu Awaiting requested review from pacoxu

Assignees

@neolit123 neolit123

@pacoxu pacoxu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.
4 participants
@carlory @k8s-ci-robot @neolit123 @pacoxu