馃尡 Detect certificate expiry from kube-apiserver serving cert #7355
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
/assign @fabriziopandini @vincepri @ykakarap Please take a look. Quick feedback would be really appreciated! |
|
/test pull-cluster-api-e2e-full-main clusterctl upgrade test should be able to prove that existing machines get the expiry annotation after the upgrade EDIT: kind: KubeadmConfig
metadata:
annotations:
machine.cluster.x-k8s.io/certificates-expiry: "2023-10-06T06:11:17Z"
creationTimestamp: "2022-10-06T06:11:04Z"clusterctl upgrade using ClusterClass (v1.2=>current) [ClusterClass]: apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfig
metadata:
annotations:
machine.cluster.x-k8s.io/certificates-expiry: "2023-10-06T07:19:20Z"
creationTimestamp: "2022-10-06T07:19:02Z" |
There was a problem hiding this comment.
The approach looks good to me
We should fix also documentation (see #7268)
sbueringer
force-pushed
the
pr-detect-cert-expiry-from-apiserver
branch
from
5e6695a
to
2b04c4e
Compare
|
@fabriziopandini All findings should be adressed /test pull-cluster-api-e2e-full-main |
sbueringer
force-pushed
the
pr-detect-cert-expiry-from-apiserver
branch
from
2b04c4e
to
f768132
Compare
|
/test pull-cluster-api-e2e-full-main |
k8s-ci-robot
added
the
lgtm
|
/hold Waiting for feedback from Vince and then I want to add some test coverage before merge. |
k8s-ci-robot
added
the
do-not-merge/hold
k8s-ci-robot
added
the
approved
|
Ready to unhold/unwip? |
|
I would add a few unit tests tomorrow and Fabrizio can lgtm afterwards Primarily wanted the non-test code finalized/reviewed |
Signed-off-by: Stefan B眉ringer buringerst@vmware.com
sbueringer
force-pushed
the
pr-detect-cert-expiry-from-apiserver
branch
from
f768132
to
a7a4740
Compare
k8s-ci-robot
removed
the
lgtm
sbueringer
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Added unit test, now ready for merge |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: fabriziopandini, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
Signed-off-by: Stefan B眉ringer buringerst@vmware.com
What this PR does / why we need it:
WIP: waiting for feedback before implementing unit tests
This PR changes the detection of the certificate expiry. Instead of setting it only for new machines
in CABPK now we detect it in KCP from the serving certificate of the kube-apiserver.
This has the big advantage that it allows detecting certificate expiry of pre-existing machines!
For more details see: #7342 (comment)
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #7342