chore(CIS): add rotate kubelet certs flag #1052
Conversation
fix unit test failure
573ae78
to
9f1f3fa
Compare
Codecov Report
@@ Coverage Diff @@
## master #1052 +/- ##
==========================================
+ Coverage 74.27% 74.27% +<.01%
==========================================
Files 131 131
Lines 18246 18248 +2
==========================================
+ Hits 13552 13554 +2
Misses 3912 3912
Partials 782 782 |
/azp run pr-e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
/hold |
@jackfrancis Shall we merge this PR first? With this PR, at least we could do the cert rotation when cert is going to expire and manually approve it. There is no side effect since at that time since the cert is going to expire when time approaches. And how to manually approve cert rotation here: |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andyzhangx, jackfrancis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Reason for Change:
Issue Fixed:
Current kubelet certs are under
/var/lib/kubelet/pki/
, and it has only one year of validity:$ openssl x509 -in /var/lib/kubelet/pki/kubelet.crt -text Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=k8s-master-22533604-0-ca@1553485044 Validity Not Before: Mar 25 02:37:23 2019 GMT Not After : Mar 24 02:37:23 2020 GMT Subject: CN=k8s-master-22533604-0@1553485044
Requirements:
Notes: