Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm upgrade node not rotate certificate #1818

Closed
LuckySB opened this issue Oct 4, 2019 · 5 comments · Fixed by kubernetes/website#16726
Closed

kubeadm upgrade node not rotate certificate #1818

LuckySB opened this issue Oct 4, 2019 · 5 comments · Fixed by kubernetes/website#16726
Assignees
@neolit123
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@LuckySB
Copy link

LuckySB commented Oct 4, 2019

Versions

kubeadm version (use kubeadm version):
v1.15.0 and above

What happened?

kubeadm doc:

In Kubernetes v1.15.0 and later, kubeadm upgrade apply and kubeadm upgrade node will also automatically renew the kubeadm managed certificates on this node, including those stored in kubeconfig files. To opt-out, it is possible to pass the flag --certificate-renewal=false. For more details about certificate renewal see the certificate management documentation.

But the certificates were only updated on the first wizard where the command kubeadm upgrade apply was executed

on the second and third masters, the command kubeadm upgrade node was executed and the certificates for them remained untouched.
But when i use the kubeadm with option kubeadm upgrade node --certificate-renewal, the certificates will be updated

What you expected to happen?

Certificates must be renewed with command kubeadm upgrade node

How to reproduce it (as minimally and precisely as possible)?

install kube cluster with 3 master and upgrade it with kubeadm
@neolit123
Copy link
Member

neolit123 commented Oct 4, 2019 via email

@neolit123 neolit123 mentioned this issue Oct 5, 2019
Closed
@neolit123
Copy link
Member

looking at the source this seems like a bug.

/kind bug
/assign

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 5, 2019
@neolit123 neolit123 added this to the v1.17 milestone Oct 5, 2019
@neolit123 neolit123 added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. labels Oct 5, 2019
@neolit123 neolit123 mentioned this issue Oct 5, 2019
Merged
@neolit123
Copy link
Member

@LuckySB

the fix is here:
kubernetes/kubernetes#83528
but this will land in 1.17.

we can consider backporting to 1.15 and 1.16, but given there is a workaround and given the bug is non-critical, we might just add a note in:
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal

@neolit123 neolit123 added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. kind/documentation Categorizes issue or PR as related to documentation. and removed lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Oct 5, 2019
@LuckySB
Copy link
Author

LuckySB commented Oct 6, 2019

Thanks so much for a quick fix.

@LuckySB LuckySB closed this as completed Oct 6, 2019
@neolit123
Copy link
Member

let's keep this open, until we decide if we want to add documention note here https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal

@neolit123 neolit123 reopened this Oct 6, 2019
@neolit123 neolit123 mentioned this issue Oct 7, 2019
Merged
@neolit123 neolit123 added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Oct 7, 2019
This was referenced Jan 31, 2020
Closed
Merged
@xmudrii xmudrii mentioned this issue Jul 17, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neolit123 neolit123

Labels
kind/bug Categorizes issue or PR as related to a bug. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

kubeadm: include a couple of workarounds in kubeadm-certs.md neolit123/website
3 participants
@neolit123 @LuckySB @k8s-ci-robot