►
From YouTube: kubeadm office hours 2020-07-08
A
A
D
E
A
F
A
So
the
main
changes
in
119
were
the
peers,
former
asti,
that
are
very
factors
in
the
corporate
coffee.
We
also
did
our
work
deprecations.
This
cycle,
we
are
removing
alpha,
commands
flags,
as
you
saw
the
dynamic
couplet
config
last
minutes.
Deprecation
core
DNS
is
coming
for
a
boat,
but
it's
a
breaking
change,
so
we
have
a
big
release.
Node
for
that,
and
also
HCD
client
was
already
updated
and
it's.
This
server
is
being
updated
now
because
of
image
registry
problems.
A
E
A
A
A
A
Talks
deadline:
it
was
for
the
placeholder,
so
code
freeze,
okay,
so
you
meant
enhancement,
freeze,
alright,
so
I
call
this
feature
freeze,
but
it's
really
called
freeze,
but
they're
artists
and
code
freezes.
We
stopped
merging
features,
it's
not
yeah,
but
I
guess
the
correct
term
is
called
freeze.
As
per
the
official
terminology
of
cig
release.
A
A
A
Maybe
one
day
we
should
stop
doing
that
and
we
should
just
generalize
the
upgrade
page
to
not
include
any
program
output
and
instead
it
should
just
you
know.
The
kubernetes
website
nowadays
have
automated
version
transition.
So
you
know
if
you
place
a
placeholder
a
latest.
It's
just
going
to
automate
everything
for
you.
A
A
A
A
D
Well,
I,
thank
you
for
all
your
reviews,
liberal
mayor
and
sorry
for
all
of
the
back-and-forth
and
the
changes
I've
made
since
rusty.
Did
his
reviews
and
hopefully
I've
simplified
it
quite
a
lot
now
and
reduced
it
to
a
much
smaller
diff
and
removing
all
of
the
unit
tests
that
I
wrote
most
of
the
unit
tests,
I
wrote
and
I'll
put
those
in
a
separate
PR
and
in
actual
fact,
simplifying.
The
code
was
a
good
was
a
good
exercise.
D
A
Yeah
we
had
a
history
in
qadian,
where
we
have
big
last-minute
changes
and
I'm,
not
saying
that
your
logic
was
incorrect
or
something
like
that,
but
we
don't
have
to
go
back
and
fix
some
of
the
low
small
things
like
the
whitespace
fixes
and
things
like
that.
Obviously,
we
cannot
fix
the
one
that
once
the
branch
is
cut
because
we
have
to
part
part
tomorrow
and
also
bugs
we've
been
bitten
in
the
past
by
last-minute
changes
and
bugs
so
keeping
it
minimal
is
really
a
good
idea.
A
D
A
Yeah
this
is
this
is
a
good
topic
to
discuss
here,
because
for
Blitzer
is
also
the
meeting
so
for
certificate
renewal
with
our
command
that
we
have
explicitly
for
it.
I
can
see
a
potential
use
case
where
somebody
would
want
to
generate
CSR's
using
the
command
instead
of
doing
in
place
in
annual
using
the
CA
on
disk.
Maybe
so
should
we
stop
doing
that?
A
Should
we
stop
generally
CSS
for
the
dis
command,
or
should
we
continue
doing
that,
like
a
kind
of
leaning
towards
telling
the
users
fears
the
new
command,
because
you
know
what
the
newer
was
supposed
to
be
in
place,
renewal
and
CSS,
the
CSR
come
out
miss
maybe
for
the
CSR
use
case.
I
really
don't
know
yeah.
This
is
my
idea.
I.
E
A
D
A
I
can
tell
you
right
now
that
we
are
not
doing
that
because
me
and
Jordan
removed
completely
this
CSR
API
usage
from
comedian
exactly
exactly
because
of
this
changed
external
Seiler
stuff.
So
if
you
look
at
the
comedian
source
code,
you're
no
longer
going
to
find
imports
of
the
CSL
api,
so
this
is
telling
me
that
the
the
new
command
is
basically
creating
CSR
in
key.
This
is
maybe
dance
like
the
Togo.
When
you
pass
the
system
CSR
only
flag,
it
togo's,
but
the
renewal.
E
A
E
A
A
A
To
do
this,
because
you
were
sure
that
you
saw
I
think
you
saw
the
v5
like
enable
start
races.
This
is
going
to
overnight.
It
them
always
set
a
stack
trace.
We
don't
want
that.
You
should
just
either
wrap
if
you
want
a
more
descriptive
message
or
it
should
just
return
the
header
right
away.
Instead
of
always
adding
the
stuck.
Are
you.
D
D
A
D
A
So
the
idea
of
the
wrap
function
and
wrap
it
is
when
you
want
to
have
a
more
descriptive
message
on
the
side
of
the
corner
of
the
function.
So,
if
I'm
calling
always
remove-
and
it
gives
me
the
people
that
started
right
below
the
error
message,
but
I'm
not
happy
with
it-
I
want
to
include
more
information
on
the
side
of
the
caller
and
who
is
actually
performing
this
action.
This
is
what
I'm
going
to
use
the
errors,
wrap
and
other
another
message.
Okay,.
D
E
It's
a
nice
mayor
to
talk
to
words
on
a
ramadan
management
right.
I
think
that
we
have
to
keep
the
to
keep
in
mind
to
one
things:
that,
from
the
other
side
we
have
of
day
of
the
CLI.
We
have
users
not
to
developers,
so
whenever
possible,
issues
the
work
to
provide
a
meaningful
message
to
the
user
and
the
meaningful.
An
error
message
basically
tells
there
is
a
problem,
and
this
is
how
you
you
can
go
to
you.
You
can
move
on,
so
we
execute
the
command
change,
something
it
is
something
that
helps
the
user.
E
Instead
of
as
a
programmer,
we
will
like
to
get
all
the
day
care
or
errors
take
whatever,
but
this
this
is
an
output
that
does
not
help
the
user.
He
tell
to
the
program
developers
and
the
soul,
and
so
it
is,
it
is
a
trade-off.
We
should
give
a
meaningful
error
message
to
the
user
in
normal
condition
and
only
give
error
stack
to
developers
when
they
ask
for
it.
E
D
Yeah
it
that
makes
sense,
no
I
wouldn't
want
the
stack
trace
to
be
shown
to
the
user
and
the
normal
circumstance
isn't
and
it
doesn't
show
up
and
unless
you
add
the
verbosity
level,
five,
so
I
imagined
it
was
I.
Imagine
the
use
case
was
the
user
does
something
wrong.
He
specifies
the
wrong
path
to
a
config
file.
They
get
a
meaningful
error
message
and
that's
it.
They
know
how
to
fix
it.
D
On
the
other
hand,
if
it's
some
sort
of
programming
area,
where
there's
an
invalid
input,
they
will
get,
they
will
get
the
human
readable
error,
but
it
won't
be
something
they
can
fix,
in
which
case
they
come
to
the
bug
tracker
and
submit
an
issue
at
which
point
we
ask
them
to
turn
on
velocity
level
five.
So
we
get
the
full
stack
trace,
yeah,
because
the.
D
D
A
All
right,
thank
you,
I'm,
looking
at
the
source
code
quickly,
so
this
is
a
helper
function.
Now
that
just
returns
this
that
we
used
to
have
it
that
code
directly,
you
know
the
bump
in
the
cel-3
I
think
this
is
fine.
Addition
to
this
function
of
this
function,
the
the
errors.
So
this
is
like
the
the
other,
like
idea
here,
is
to
use
these
for
unit
testing
too
much.
A
D
A
Yeah,
but
the
error
of
dirtiest
is
basically
doing
string
matching
what
we
do
instead
is
we
normally
create
a
custom
error
type.
You
know
that
extends
the
error
or
interface
so
on,
and
then
you
can
a
match
by
pipe
assortment
instead
of
string
matching
but
yeah,
that's
a
that's
a
that's
is
there.
It
is
something
that
we
can
do
in
a
later.
A
D
A
Yeah
that
every
case
file,
the
problem
is
that
we
are
passing
in
it
configuration
in
a
lot
of
places
where,
maybe
you
know
ideal
world,
we
could
have
passed
a
chunk
of
it
like
a
substructure.
Yes,
just
the
bits
that
are
going
to
be
consumed
yeah.
This
is
a
huge
destruction.
This
is
a
large
every
factor
for
the
future.
A
F
A
A
D
A
Yes
at
this
point,
if
the
kind
CI
job
fails
from
the
PR,
it
means
that
we
broke
something.
If
it's
passing,
we
are
good
because
it
is
possible
for
crazy,
but
keeping
a
coaster
that
obviously
uses
these
quick
config
files.
You
know
your
grant
certificate
config
from
cube,
config
spec.
This
is
just
a
wrapper
to
return
of
the
cert
config
structure.
Again
also
I
got
a
question
about
usages.
I
am
lacking
some
understanding,
so
genera
like
a
PKI
and
the
synagogue
is
when
I
create
us
here,
sir,
it
does
not
include
usages
right.
D
The
CSR
filed
the
it's
generated
with
the
current
count
doesn't
include
the
know
it
could
include
them.
Can
I've
got
a
branch
where
I've
implemented
that,
even
if
you
do
include
them,
it
doesn't
really.
It
doesn't
necessarily
mean
the
CA
will
sign
it
with
those
usages.
You
might
get
back
something
different
to
what
you
requested,
which
is.
A
A
In
this
case,
we
are
like
pinning
pretty
much
the
client
out
the
usage
and
we
are
not
adding
the
rest.
I
know
actually
I'm,
not
sure.
If
this
cube
can
fix
needs
anything
else.
They
don't
obviously
because
I
I
know
when
we
created
the
new
cap
for
the
CSR
API
changes
with
that
signer
name.
I
saw
that
there
are
some
very
explicit
usages
for
some
of
the
certificates,
but
also
obviously,
for
the
couplet
client,
equivalent
server
and
a
generic
API
cry
out
to
the
field.
A
D
A
D
Now
you
talk
about
it,
I,
don't
know
why
I'm
not
actually
sure
that
that
makes
any
difference
it
would
be
used.
It
would
be
used
in
the
self-signed
case
where
this,
where
the
self
signing
mechanism
needs
to
know
the
usages
that
have
been
was
a
required
doctor.
A
usage
doesn't
actually
get
encoded
into
the
certificate
signing
request
data.
A
A
D
A
D
A
A
D
Yeah
I
could
yes--that's
I
could
I
should
group
them
yeah
yeah.
Another
question:
I:
don't
want
to
take
up
too
much
of
the
meeting
on
this.
If
there's
other
things
to
discuss
that
I
I've
chosen
to
have
the
new
command
error.
If
there
are
existing
files,
so
it
doesn't,
it
won't
overwrite
any
existing
files,
which
I
thought
was
the
safest,
the
safest
option
and
it
suits
my
suits
the
way
we're
using
it
in
this
benefiber
that
we're
trying
to
put
together
a
lot
of
the
other
commands
will
continue
and
ignore
existing
files.
D
A
Journal
for
certificates
in
Cuba
convicts
cube
a
their
girls.
The
bottom
two
always
check
for
existence
for
us
instead
of
generating
new
ones,
but
maybe
you
cannot
a
que
walk
message.
If
you
change
the
logic,
somehow
the
particular
place,
you
can
have
a
que,
walk
message
like
a
high
velocity
can
walk
v2
or
something
like
that
saying:
hey
I
found
something
existing.
You
can
I'm
going
to
use
it
instead
of
generate
a
new
one.
Unless
we
already
have
this.
D
So,
just
to
be
clear,
I
am
not
read
in
in
my
new
command
are
not
reusing
any
files
if
they
exist
and
the
command
fails
and
for
all
of
the
files,
but
as
opposed
to
the
existing
command
key
Madden
init
phase
CSR
only
would
would
reuse
an
existing
key
private
key
and
create
a
CSR
and
one
didn't
exist.
So.
A
Here's
a
question
Akira's:
why
should
we
fail
if
a
CSR
already
exists,
CSR
file
or
key
already
exists?
This
I
think
is
a
bit
of
a
discrepancy
compared
to
the
old
to
the
existing
commands
like,
but
I've
tried
to
the
same.
Why
shouldn't
we
tell
the
user?
Hey
your
CSR
is
already
there.
We
should
generate
a
new
one
for
you,
please
remove
it.
A
A
A
A
D
D
A
D
A
Given
the
commodity
is
possible
for
generating
the
chip,
config
files
and
also
the
CSS
files
and
the
keys
I
would
assume
that
it
should
like.
Why
should
fit?
Why
should
it
fail?
That's
the
question:
why
should
it
fail
if
it
already
finds
them
in
the
folder?
That
is
the
the
UX?
Our
argument
here
well.
D
I,
my
thinking
is
that
if
there
is
a
key
already,
then
presumably
someone
has
already
created
a
CSR
or
created
a
signed
certificate
for
that
key.
So
you
wouldn't
you
wouldn't
want
to
create
another
another
CSR
for
that,
if
you
get
equation,
you
csru
would
always
I
think
want
to
create
a
new
private
key.
A
D
Yes,
you
think
what
I
said
isn't
strictly
true
you
could
you
say
there
is
a
case
for
creating
another
certificate,
signing
request
based
on
the
existing
private
key.
You
want
to
renew
the
certificate,
get
have
a
certificate
extended,
but
that's
I
think
I'm
right
saying:
that's
not
good
practice!
You,
if
you're
going
to
get
a
new
certificate
you
want
to.
You
want
to
rotate
the
key
as
well.
Absolutely
yeah.
A
So
it's
enough,
oh,
come
on.
Let's
leave
it
like
that.
For
now
we
can
error
out.
If
somebody
comes
on
us
with
the
use
case
that
we
knew
discussed,
you
mentioned
right
now,
we
can
extend
it
but
yeah.
Let's,
let's
keep
it
like
that.
Follow
everything
I'll
try
the
way,
letting
the
users
know
that
they
should
rotate
both
the
key
and
the
CSR.
A
D
There
are
helpers
in
the
certificates
phase
package
for
checking
for
an
existing
CSR
us
an
existing
key,
and
they
do
this.
They
use
OS
that
they
don't
I,
think
it's
wrong,
they're,
not
quite
right
and
that
they
don't
return
the
error
from
OS
stat.
So
you
would
never
pick
up
on
the
fact
that
a
file
does
exist,
but
it's
Commission's
don't
allow
you
to
see
it.
A
D
That's
not
ideal
either
because
I'm
reusing
I
didn't
want
in
the
interests
of
keeping
the
patch
small
and
reusing
the
existing
helper
functions.
But
ideally
there
would
be
a
two
separate
checks,
one
for
the
csr
and
one
for
the
key,
I.
Think
and
actually
the
other
thing.
I
don't
like
about
the
way
that
PKI
utilities
all
is
laid
out
is
that
they
the
reason
for
their
existence.
A
Basically,
the
story
there
is
that
we,
we
are
using
current
goal
and
it
has
some
utilities,
but
they
are
not
sufficient.
They
are
sufficient
for
some
of
the
usages
in
poor
communities,
but
not
for
kube
adium.
So,
basically,
the
hope
a
coyote
was
spawned
because
of
trying
to
extend
the
client
go
YouTube,
but
they
are
not.
They
are
not
a
guaranteed
api.
We
can
change
them
even
if
they
are
exported.
We
don't
give
any
guarantees.
D
A
D
D
A
D
D
Jet
stock
have
recently
been
acquired
by
a
company
called
benef
I,
who
are
a
certificate
management
who
produced
software
for
certificate
management
and
auditing.
So
what
we're
trying
to
do?
What
I'm
trying
to
do
is
see
how
far
I
can
get
in
having
all
of
the
Cuban
eTI's
control,
playing
certificates
and
cubelet
certificates
and
signed
by
identify
certificate
authority.
D
It'll
be
it'll,
be
I'm,
not
it's
not.
Hopefully
it
shouldn't
be
tied
to
benefiting
this
generic
and
ties
in
with
what
my
colleague,
James
Nunnally,
has
been
doing
on
the
the
the
built-in
CSR
API.
But
you
lyubimov
talk
to
him
about
it,
so
maybe
in
future
we
will
be
able
to
have
something
like
have
some
way
of
hooking
in
to
keep
ADM
to
bootstrap
the
cluster
with
externally
signed
certificates
and
then
during
renewal.
The
renewal
process
can
be
via
they,
the
the
CS,
the
the
the
kubernetes
certificate
signing
request,
s--
with
an
external
signer.
D
So
the
reason
you've
pulled
out
the
signer
stuff
from
cuba
adam
at
the
moment,
is
because
it
was
relying
on
the
built-in
signer.
What
we're
hoping
to
do
is
to
have
a
controller
running
in
the
cluster
which
can
sign
those
requests
for
CS
certificate.
Signing
request,
signed
with
a
different
signer
name
and
have
those
signed
by
benefice,
for
example,.
D
A
A
A
C
E
D
It's
to
do
with
the
to
do
with
that
dynamic
population
of
dynamic,
yeah
dynamic
setting
of
certain
cube
Adam
a
in
it
configuration
fields.
So
yeah.
Quite
remember:
that's
that's
that
bits.
A
couple
of
weeks
ago,
I've
forgotten
the
the
reasoning
behind
I
was
struggling
to
to
figure
out
how
the
command
line
flag
should
interact
with
with
the
config
values
in
and
such.
D
A
Yeah
I
wanted
to
quickly
discuss
this
topic
and
so
I
think
I've
covered
some
misunderstanding
of
the
whole
again,
the
CSR
business,
so
the
kubrik
greater
CSR
for
the
corporate
class
certificate
it
like
in,
like
95
percent
of
the
use
cases,
is
managed
by
the
tos
booster
process
itself.
Cuba
diem
just
creates
a
cube
config.
We
were
talking
for
most
users
like,
but
with
even
in
VMware,
we
have
people
like
one
of
our
products
is
using
client
certificates
instead
of
like
we
have.
A
A
D
Yeah
I
think
this
is
fine,
not
very
this
part
of
it,
but
what
what
it
seemed
to
me
was
that
there's
a
special
case
for
the
cubelet
running
blood.
It
seemed
to
me
that
that
doesn't
use
the
doesn't
connect
to
the
API
server
using
a
bootstrap
token,
because
it
is
running
the
API
server
as
a
static
pod.
This
there's
something
about
that.
First
cubelet,
that's
special
and
it
does
only
use
this.
D
It
does
only
use
this
cubelet
file
briefly
until
it's
had
a
chance
to
establish
a
connection
to
the
api
server
and
then
it
renews
its
certificate
using
the
API
server
and
control
controller
manager.
Mechanism
I
think
it's
necessary,
but
this
is
one
of
the
things
that
hashing
and
I
are
just
just
testing
at
the
moment.
So
you
might
be
right,
it
might
not
be
necessary.
I.
A
Mean
it
is
not
going
to
harm
us
if
we
leave
it
as
an
option.
Just
you
know
allow
the
command
to
generate
the
correct
csr
and
key
for
this
after
that,
if
we
find
it
the
redundant,
we
can
amend
the
command
after.
Oh
it's
awful,
but
yeah.
This
is
my
thinking
for
now.
I've
gotta,
also
kind
of
confused
and
I
also
have
some
gaps.
In
my
understanding
of
the
primary,
like
the
initial
couplet
posts,
are
the
first
node.
A
It's
III,
remember
digging
into
this,
and
if
you
look
at
the
source
code
of
Cuba
diem
you're
going
to
find
that
we
actually,
if
certificate
rotation
is
enabled
we
go
into
the
couplet
dot-com
file
and
we
manually
change
change
it
to
point
to
the
rotatable
couplet
client
certificate,
because
we
couldn't
figure
out
and
see
how
did
I
have
the
time
to
help
us.
We
couldn't
figure
out
how
the
process
actually
works,
and
why
like?
Why
are
we
not
getting
this
automatically
done
for
us,
but
yeah
I?
Guess
we
can
leave
this
for
now.
A
I
think
the
unit
tests
are
fine.
We
have
to
add
the
meeting
because
we
are
out
of
time
overall
I
think
this
is
ok.
I
I
think
you
just
reused
some
parts
of
the
unit
test
from
before
yeah
I'm
going
to
have
another
look
after
this
and
add
comments
and
I.
Do
you
think
you
can
amend
this
till
end
of
day
tomorrow,
like
kids
and
to
end
of
day
Pacific
tomorrow,
yeah.
D
You
know
I
can
certainly
if
it's
just
these
few
changes.
We've
talked
about
I
think
so
yeah.
But
if
you
honestly,
if
you've
got
other
reviews
and
pull
requests
that
you
need
to
get
done
before
the
merge
deadline,
then
don't
worry
about
don't
worry
about
this.
It
can
wait
until
the
next
release,
if
necessary,.