-
Notifications
You must be signed in to change notification settings - Fork 4.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add etcd-manager certificate expiration advisory
- Loading branch information
Showing
1 changed file
with
42 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
# etcd-manager Certificate Expiration | ||
|
||
etcd-manager configures certificates for TLS communication between kube-apiserver and etcd, as well as between etcd members. | ||
These certificates are signed by the cluster CA and are valid for a duration of 1 year. | ||
Affed versions of etcd-manager did not handle the rotation of these certificates automatically. | ||
This means if the certificates expire, the etcd cluster and kube-apiserver will be inaccessible. | ||
This results in downtime of the cluster's control-plane. | ||
|
||
## How do I know if I'm affected? | ||
|
||
Clusters are affected by this issue if they're using a version of etcd-manager < XXXXXX. | ||
The etcd-manager version is set automatically based on the Kops version. | ||
These Kops versions are affected: | ||
|
||
* Kops 1.10.0-alpha.1 through 1.16.1 | ||
* Kops 1.17.0-alpha.1 through 1.17.0-beta.1 | ||
* Kops 1.18.0-alpha.1 | ||
|
||
The issue can be confirmed by checking the ClusterSpec: | ||
|
||
``` | ||
kops get cluster $CLUSTER_NAME -o yaml | ||
``` | ||
|
||
If the field `spec.etcdClusters[*].provider` is set to `manager`, or if it is not present and the cluster is managed with Kops >= 1.12.0, the cluster is affected. | ||
|
||
## Solution | ||
|
||
etcd-manager versions >= 3.0.20200428 will request new certificates before they expire. | ||
|
||
Clusters can be upgraded to this version of etcd-manager in two ways: | ||
|
||
* Upgrade to Kops 1.16.2, 1.17.0-beta.2, or 1.18.1-alpha.2. | ||
This is the recommended approach. | ||
Follow the normal steps when upgrading Kops and confirm the etcd-manager image will be updated based on the output of `kops update cluster`. | ||
* Override the etcd-manager image in the ClusterSpec: | ||
``` | ||
kops edit cluster $CLUSTER_NAME | ||
Set `spec.etcdClusters[*].manager.image` to `kopeio/etcd-manager:3.0.20200428` | ||
kops update cluster # confirm the image is being updated | ||
kops update cluster --yes | ||
``` |