ETCD-512: refactoring the cert signer controller #1194
Conversation
|
@tjungblu: This pull request references ETCD-512 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
openshift-ci-robot
added
the
jira/valid-reference
openshift-ci
bot
added
the
approved
|
/payload 4.16 nightly blocking |
|
@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/394126f0-c1d5-11ee-9c5f-e0ca9c5926f2-0 |
|
/override ci/prow/e2e-gcp-qe-no-capabilities |
|
@dusk125: Overrode contexts on behalf of dusk125: ci/prow/e2e-gcp-qe-no-capabilities In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@tjungblu: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/payload 4.16 nightly blocking /retest-required |
|
@hasbro17: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/7e4b76b0-c3f6-11ee-8613-f3389024c56c-0 |
This PR will * replace the existing cert rotation logic with more battle tested ones from library-go * create new signer certificates (metrics + serving) in openshift-etcd namespace, in addition to existing ones in openshift-config * create new server certificates (peer, serving, serving-metrics) * create new client certificates (etcd-client, etcd-metrics) * bundle existing signer certificates with newly created CAs (to stay backward compatible) The consequence of merging this PR is: * an additional static pod rollout during installation and upgrades (slightly longer install/upgrade time expected) * all existing certs are rotated with existing old and new signers, which are distributed to all nodes for actual signer rotation later on Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
tjungblu
force-pushed
the
cert_playground
branch
from
9408eef
to
6087859
Compare
|
/payload 4.16 nightly blocking |
|
@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/a3e015c0-c400-11ee-94e3-370cbf03b515-0 |
|
/test ? |
|
@tjungblu: The following commands are available to trigger required jobs:
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test e2e-metal-single-node-live-iso |
|
/retest |
|
/test e2e-agnostic-ovn-upgrade |
|
/payload 4.16 nightly informing |
|
@tjungblu: trigger 67 job(s) of type informing for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/42f88820-c417-11ee-9923-b2c39df01c7a-0 |
|
/payload 4.16 nightly blocking doing another run for good measure, the last one looks green |
|
@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0b25daf0-c41d-11ee-8c9f-85d39827da70-0 |
|
/test e2e-aws-ovn-single-node |
|
/payload 4.16 nightly blocking |
|
@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/9def14f0-c43b-11ee-82f9-c65155bbdba0-0 |
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
/payload 4.16 nightly blocking |
|
@tjungblu: trigger 8 job(s) of type blocking for the nightly release of OCP 4.16
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/bfa3aee0-c4ee-11ee-8a96-f12eeb05e18f-0 |
|
/hold cancel |
openshift-ci
bot
removed
the
do-not-merge/hold
|
@dgoodwin / @simonpasquier I think we're good again, the payloads (if they were running) were green. @hasbro17 is going to review this over the course the day and hopefully get this merged again - so heads-up in case there are any issues |
|
TY and GL! |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hasbro17, tjungblu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 18f24da
into
openshift:master
|
[ART PR BUILD NOTIFIER] This PR has been included in build cluster-etcd-operator-container-v4.16.0-202402070113.p0.g18f24da.assembly.stream.el9 for distgit cluster-etcd-operator. |
In OCP 4.16 the cluster-etcd-operator moved to using library-go/certrotation and that leads to the following etcd TLS secrets having annotations that include the IP and the hostname: - openshift-etcd/etcd-peer-<hostname> - openshift-etcd/etcd-serving-<hostname> - openshift-etcd/etcd-serving-metrics-<hostname> The respective annotations are: - auth.openshift.io/certificate-hostnames - this includes the IP - openshift.io/description - this includes the hostname Recert now replaces the IP and the hostname in those annotations, in order to skip an additional etcd rollout that is triggered because of the former. openshift/cluster-etcd-operator#1194 Signed-off-by: Michail Resvanis <mresvani@redhat.com>
In OCP 4.16 the cluster-etcd-operator moved to using library-go/certrotation and that leads to the following etcd TLS secrets having annotations that include the IP and the hostname: - openshift-etcd/etcd-peer-<hostname> - openshift-etcd/etcd-serving-<hostname> - openshift-etcd/etcd-serving-metrics-<hostname> The respective annotations are: - auth.openshift.io/certificate-hostnames - this includes the IP - openshift.io/description - this includes the hostname Recert now replaces the IP and the hostname in those annotations, in order to skip an additional etcd rollout that is triggered because of the former. openshift/cluster-etcd-operator#1194 Signed-off-by: Michail Resvanis <mresvani@redhat.com>
In OCP 4.16 the cluster-etcd-operator moved to using library-go/certrotation and that leads to the following etcd TLS secrets having annotations that include the IP and the hostname: - openshift-etcd/etcd-peer-<hostname> - openshift-etcd/etcd-serving-<hostname> - openshift-etcd/etcd-serving-metrics-<hostname> The respective annotations are: - auth.openshift.io/certificate-hostnames - this includes the IP - openshift.io/description - this includes the hostname Recert now replaces the IP and the hostname in those annotations, in order to skip an additional etcd rollout that is triggered because of the former. openshift/cluster-etcd-operator#1194 Signed-off-by: Michail Resvanis <mresvani@redhat.com>
In OCP 4.16 the cluster-etcd-operator moved to using library-go/certrotation and that leads to the following etcd TLS secrets having annotations that include the IP and the hostname: - openshift-etcd/etcd-peer-<hostname> - openshift-etcd/etcd-serving-<hostname> - openshift-etcd/etcd-serving-metrics-<hostname> The respective annotations are: - auth.openshift.io/certificate-hostnames - this includes the IP - openshift.io/description - this includes the hostname Recert now replaces the IP and the hostname in those annotations, in order to skip an additional etcd rollout that is triggered because of the former. openshift/cluster-etcd-operator#1194 Signed-off-by: Michail Resvanis <mresvani@redhat.com>
Second try, containing a fix for the client secret deletion described in:
https://issues.redhat.com/browse/TRT-1485?focusedId=24060763&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-24060763
This PR will
The consequence of merging this PR is: