Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vcluster cli add a sub command to update the kubeconfig (especially the certificate) stored in secret #1731

Closed
LinPr opened this issue Apr 30, 2024 · 3 comments

Comments

@LinPr
Copy link
Contributor

LinPr commented Apr 30, 2024

Is your feature request related to a problem?

According to the vcluster cli source code, every time when we execute command vcluter connect <vcluster-name>, the vlcuster cli program will fetch the kubeconfig information from secrete, this secret is created after the vcluster pod is running.
And I checked the certificate inside of the kubeconfig (which is fetched out of the secret) , the certificate inside of this kubeconfig only last 1 year.
well, there is problem, what if someone create a vcluster, and it keeps running more than 1 year, and after that , he can't use vcluster connect <vcluster-name> any more. I mean according to the code , the vlcuster seems won't update the kubeconfig and certificate automaticly.
well , maybe I neglected some codes hava already done those work , if so ,please let me know !

Which solution do you suggest?

if this scenario does exist , we probably could add a sub command of vcluster cli , which will update the kubeconfig and certificate sotred in the secret.
maybe, there are some other better way to impliment this ? such as auto update the certificate inside of the sync progress or something else?

Which alternative solutions exist?

No response

Additional context

No response

@FabianKramm
Copy link
Member

@LinPr thanks for creating this issue! vCluster itself should update the secret and then the connect command will pick that up:

result, err := controllerutil.CreateOrPatch(ctx, currentNamespaceClient, kubeConfigSecret, func() error {
. If you want to ignore the certificate you can also do vcluster connect ... --insecure

@LinPr
Copy link
Contributor Author

LinPr commented Apr 30, 2024

@LinPr thanks for creating this issue! vCluster itself should update the secret and then the connect command will pick that up:

result, err := controllerutil.CreateOrPatch(ctx, currentNamespaceClient, kubeConfigSecret, func() error {

. If you want to ignore the certificate you can also do vcluster connect ... --insecure

Yes thanks for replying , I'v read this part of codes, and this function controllerutil.CreateOrPatch that you mentioned could be useful for create or update a object,.
basically,, inorder to avoid the certificate out of date, we need to impliment a fucntion in the vcluster it self , the function periodically sign a new certificate and update it into the secret before the certificate out-date.
am I right? did I get anything wrong?
Thanks for your replying again!!

@deniseschannon deniseschannon added the feature label May 8, 2024 — with Linear
@heiko-braun
Copy link
Contributor

Ho @LinPr , if you don’t mind I am closing this one in favour of #1766

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants