-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow "kops create keypair" to stage next CA cert #11252
Conversation
/retest |
The other way we could go with this is @justinsb what do you think? |
Office Hours decision: Change to |
Also treat the map key id as authoratative
f31a858
to
0fee909
Compare
Will address |
/assign @olemarkus |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think perhaps the documentation is a bit unclear, but that can be sorted out later when all the pieces are in place.
|
||
cmd.Flags().StringVar(&options.CertPath, "cert", options.CertPath, "Path to CA certificate") | ||
cmd.Flags().StringVar(&options.PrivateKeyPath, "key", options.PrivateKeyPath, "Path to CA private key") | ||
cmd.Flags().BoolVar(&options.Primary, "primary", options.Primary, "Make the CA used to issue certificates") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am struggling a bit with understanding this description.
Maybe it also makes sense to provide an example using --primary
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should there also be a warning around this one? If primary is set, and you create a new primary key directly, the rotation will not be graceful?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That will indeed be a disruptive change. It might be used in new-cluster situations, such as the integration tests.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: olemarkus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Next step after #11219
kops create secret keypair ca
tokops create keypair ca
--primary
flag instead adds the CA as primary.--cert
flag may now be omitted, in which case it will issue a new cert.--key
flag may now be omitted if either the--cert
or--primary
flags are omitted, in which case it will create a new key.