Skip to content

Add periodic job for signed kubelet serving certs #35255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add periodic job for signed kubelet serving certs #35255

wants to merge 1 commit into from

Conversation

g-gaston
Copy link
Contributor

@g-gaston g-gaston commented Aug 1, 2025

This runs all the e2e tests for on-by-default features against a cluster with kubelet server certificates signed by the CP (as opposed to the default self-signed). This way we make sure we exercise certificate validation on any test making exec/logs/port-forward requests.

I tested this locally (with pj on kind) and I got all tests passing except a few ones using volumes. I suspect this is because I'm running "prow" inside a kind cluster and not because of the job's code. I got the same failures when running ci-kubernetes-e2e-kind locally.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 1, 2025
@k8s-ci-robot k8s-ci-robot added area/config Issues or PRs related to code in /config area/jobs sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Aug 1, 2025
@enj enj added this to SIG Auth Aug 2, 2025
@enj enj moved this to Needs Triage in SIG Auth Aug 2, 2025
@aramase aramase moved this from Needs Triage to In Review in SIG Auth Aug 4, 2025
@aramase
Copy link
Member

aramase commented Aug 4, 2025

/triage accepted
/assign

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Aug 4, 2025
BenTheElder
BenTheElder reviewed Aug 4, 2025
View reviewed changes
@g-gaston g-gaston force-pushed the ci-periodic-job-kubelet-server-certs branch 2 times, most recently from 65e25b4 to 8735d2f Compare August 6, 2025 13:42
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/testgrid and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 6, 2025
aramase
aramase reviewed Aug 21, 2025
View reviewed changes
config/jobs/kubernetes/sig-auth/signed-kubelet-server-certs.yaml
Comment on lines +14 to +17
- org: kubernetes
repo: kubernetes
base_ref: master
path_alias: k8s.io/kubernetes
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs to be set as workdir?

Suggested change
- org: kubernetes
repo: kubernetes
base_ref: master
path_alias: k8s.io/kubernetes
- org: kubernetes
repo: kubernetes
base_ref: master
path_alias: k8s.io/kubernetes
workdir: true

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It didn't seem to be required when I tested it, but it does make sense. Changed since it prob doesn't hurt

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 21, 2025
@g-gaston g-gaston force-pushed the ci-periodic-job-kubelet-server-certs branch from 8735d2f to fab39eb Compare September 15, 2025 17:08
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 15, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: g-gaston
Once this PR has been reviewed and has the lgtm label, please assign enj for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@g-gaston g-gaston force-pushed the ci-periodic-job-kubelet-server-certs branch from fab39eb to cc65e72 Compare September 15, 2025 17:14
@g-gaston g-gaston requested a review from aramase September 15, 2025 17:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BenTheElder BenTheElder BenTheElder left review comments

@liggitt liggitt Awaiting requested review from liggitt

@mikedanese mikedanese Awaiting requested review from mikedanese

@aramase aramase Awaiting requested review from aramase

Assignees

@aramase aramase

Labels
area/config Issues or PRs related to code in /config area/jobs area/testgrid cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Status: In Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@g-gaston @aramase @k8s-ci-robot @BenTheElder