-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Continue refactoring certs into nodeup #9354
Conversation
e578ef3
to
6006c9a
Compare
6006c9a
to
d2e270c
Compare
/lgtm When someone upgrades to a version of Kops that includes these refactors, they'll be left with orphaned certificates in their state store correct? Perhaps we'll want to include a release note on cleaning them up after upgrading. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers, rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
They will, but then they'll also have the CA private keys in the state store. This would be more of a concern for keys that can be accessed from worker nodes. |
ah thats true. anything that currently has read access to the orphaned certs and private keys also has read access to the CA private keys 👍 |
/retest |
Finally got the api-server server cert. It took a lot of refactoring to get here.