vcluster icon indicating copy to clipboard operation
vcluster copied to clipboard
verified publisher icon loft-sh

vcluster cli add a sub command to update the kubeconfig (especially the certificate) stored in secret

Open LinPr opened this issue 1 year ago • 2 comments

Is your feature request related to a problem?

According to the vcluster cli source code, every time when we execute command vcluter connect <vcluster-name>, the vlcuster cli program will fetch the kubeconfig information from secrete, this secret is created after the vcluster pod is running.
And I checked the certificate inside of the kubeconfig (which is fetched out of the secret) , the certificate inside of this kubeconfig only last 1 year. well, there is problem, what if someone create a vcluster, and it keeps running more than 1 year, and after that , he can't use vcluster connect <vcluster-name> any more. I mean according to the code , the vlcuster seems won't update the kubeconfig and certificate automaticly. well , maybe I neglected some codes hava already done those work , if so ,please let me know !

Which solution do you suggest?

if this scenario does exist , we probably could add a sub command of vcluster cli , which will update the kubeconfig and certificate sotred in the secret. maybe, there are some other better way to impliment this ? such as auto update the certificate inside of the sync progress or something else?

Which alternative solutions exist?

No response

Additional context

No response

LinPr avatar Apr 30 '24 09:04 LinPr

@LinPr thanks for creating this issue! vCluster itself should update the secret and then the connect command will pick that up: https://github.com/loft-sh/vcluster/blob/0f3446aa3f2dd1a3c3ef66240fdae6a790de36a3/pkg/util/kubeconfig/kubeconfig.go#L66 . If you want to ignore the certificate you can also do vcluster connect ... --insecure

FabianKramm avatar Apr 30 '24 10:04 FabianKramm

@LinPr thanks for creating this issue! vCluster itself should update the secret and then the connect command will pick that up:

https://github.com/loft-sh/vcluster/blob/0f3446aa3f2dd1a3c3ef66240fdae6a790de36a3/pkg/util/kubeconfig/kubeconfig.go#L66

. If you want to ignore the certificate you can also do vcluster connect ... --insecure

Yes thanks for replying , I'v read this part of codes, and this function controllerutil.CreateOrPatch that you mentioned could be useful for create or update a object,.
basically,, inorder to avoid the certificate out of date, we need to impliment a fucntion in the vcluster it self , the function periodically sign a new certificate and update it into the secret before the certificate out-date.
am I right? did I get anything wrong?
Thanks for your replying again!!

LinPr avatar Apr 30 '24 12:04 LinPr

Ho @LinPr , if you don’t mind I am closing this one in favour of https://github.com/loft-sh/vcluster/issues/1766

heiko-braun avatar Jun 19 '24 05:06 heiko-braun