Salt minion ID longer than 52 characters ends up with bad kubeconfig being generated #3431
Labels
Comments
alexandre-allard
added
kind:bug
|
Strictly speaking, the minion ID is not too long. The CN we generate is. Hence, given said CN is not used for host identification, can't we truncate it, somewhat under the assumption variable parts of a hostname/FQDN come 'early' rather than at its end? Basically In [1]: "salt-master-my-super-long-minion-id-that-puts-metalk8s-bootstrap-in-fire"[:64]
Out[1]: 'salt-master-my-super-long-minion-id-that-puts-metalk8s-bootstrap' |
|
Totally agree. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Component: salt
What happened:
@JBWatenbergScality created a VM with MetalK8s 2.10 (but should be reproducible on all versions) with a very long name
metalk8s-single-module-federation-bootstrap.novalocal(53 characters).The hostname is by default used as the Salt minion ID.
This ID is then used when generating the salt-master kubeconfig, using it as the CN by appending the
salt-master-prefix to it and in this specific case, making it 65 characters long.Since this is not considered as a valid CN, kube-apiserver then rejects any authentication from the salt-master, hence the bootstrap fails throwing some Python traceback with HTTP 401 error codes.
What was expected:
Either the bootstrap go to the end, either a clear error message stating that the salt-minion ID is too long early during the bootstrap process.
Steps to reproduce:
Create a VM with a name of 53+ characters or just set the salt-minion ID prior to launch the bootstrap:
Resolution proposal (optional):
We can either add a pre-check to ensure the salt-minion ID is shorter than 53 characters and bail out early if not, or we could truncate the name to fit in the 64 allowed characters (to be checked if it does not create any other issue).
The text was updated successfully, but these errors were encountered: