Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: validate local etcd certficates during expiration checks #106891

Merged
merged 2 commits into from Dec 9, 2021
Merged

kubeadm: validate local etcd certficates during expiration checks #106891

merged 2 commits into from Dec 9, 2021

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Dec 8, 2021
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

kubeadm: validate local etcd certficates during expiration checks 

In case stacked etcd is used, the code that does expiration checks
does not validate if the etcd CA is "external" (missing key)
and if the etcd CA signed certificates are valid.

Add a new function UsingExternalEtcdCA() similar to existing functions
for the cluster CA and front-proxy CA, that performs the checks for
missing etcd CA key and certificate validity.

This function only runs for stacked etcd, since if etcd is external
kubeadm does not track any certs signed by that etcd CA.

This fixes a bug where the etcd CA will be reported as local even
if the etcd/ca.key is missing during "certs check-expiration".

this second commit is a cleanup on the side...

kubeadm: print the CA of kubeconfig files in "check expiration" 

Apply a small fix to ensure the kubeconfig files
that kubeadm manages have a CA when printed in the table
of the "check expiration" command. "CAName" is the field used for that.

In practice kubeconfig files can contain multiple credentials
from different CAs, but this is not supported by kubeadm and there
is a single cluster CA that signs the single client cert/key
in kubeadm managed kubeconfigs.

Which issue(s) this PR fixes:

xref kubernetes/kubeadm#2618 (comment)
xref kubernetes/kubeadm#2618

Special notes for your reviewer:

Does this PR introduce a user-facing change?

kubeadm: during execution of the "check expiration" command, treat the etcd CA as external if there is a missing etcd CA key file (etcd/ca.key) and perform the proper validation on certificates signed by the etcd CA. Additionally, make sure that the CA for all entries in the output table is included - for both certificates on disk and in kubeconfig files.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@neolit123
kubeadm: validate local etcd certficates during expiration checks
6603cf6 
In case stacked etcd is used, the code that does expiration checks
does not validate if the etcd CA is "external" (missing key)
and if the etcd CA signed certificates are valid.

Add a new function UsingExternalEtcdCA() similar to existing functions
for the cluster CA and front-proxy CA, that performs the checks for
missing etcd CA key and certificate validity.

This function only runs for stacked etcd, since if etcd is external
kubeadm does not track any certs signed by that etcd CA.

This fixes a bug where the etcd CA will be reported as local even
if the etcd/ca.key is missing during "certs check-expiration".
@neolit123
kubeadm: print the CA of kubeconfig files in "check expiration"
c78afc6 
Apply a small fix to ensure the kubeconfig files
that kubeadm manages have a CA when printed in the table
of the "check expiration" command. "CAName" is the field used for that.

In practice kubeconfig files can contain multiple credentials
from different CAs, but this is not supported by kubeadm and there
is a single cluster CA that signs the single client cert/key
in kubeadm managed kubeconfigs.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 8, 2021
@neolit123
Copy link
Member Author

/triage accepted
/priority backlog
/cc @pacoxu

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 8, 2021
@neolit123 neolit123 mentioned this pull request Dec 8, 2021
Closed
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 8, 2021
@SataQiu
Copy link
Member

SataQiu commented Dec 9, 2021

It works fine.

[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 06, 2022 10:59 UTC   332d            ca                      no
apiserver                  Nov 06, 2022 10:59 UTC   332d            ca                      no
apiserver-etcd-client      Nov 06, 2022 10:59 UTC   332d            etcd-ca                 yes
apiserver-kubelet-client   Nov 06, 2022 10:59 UTC   332d            ca                      no
controller-manager.conf    Nov 06, 2022 10:59 UTC   332d            ca                      no
etcd-healthcheck-client    Nov 06, 2022 10:59 UTC   332d            etcd-ca                 yes
etcd-peer                  Nov 06, 2022 10:59 UTC   332d            etcd-ca                 yes
etcd-server                Nov 06, 2022 10:59 UTC   332d            etcd-ca                 yes
front-proxy-client         Nov 06, 2022 10:59 UTC   332d            front-proxy-ca          no
scheduler.conf             Nov 06, 2022 10:59 UTC   332d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 04, 2031 10:59 UTC   9y              no
etcd-ca                 Nov 04, 2031 10:59 UTC   9y              yes
front-proxy-ca          Nov 04, 2031 10:59 UTC   9y              no

SataQiu
SataQiu reviewed Dec 9, 2021
View reviewed changes
Copy link
Member

@SataQiu SataQiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 9, 2021
@SataQiu
Copy link
Member

SataQiu commented Dec 9, 2021

We can also cherry-pick this to the previous versions after it is merged.

@k8s-triage-robot
Copy link

The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass.

This bot retests PRs for certain kubernetes repos according to the following rules:

  • The PR does have any do-not-merge/* labels
  • The PR does not have the needs-ok-to-test label
  • The PR is mergeable (does not have a needs-rebase label)
  • The PR is approved (has cncf-cla: yes, lgtm, approved labels)
  • The PR is failing tests required for merge

You can:

/retest

@k8s-ci-robot k8s-ci-robot merged commit f98f27b into kubernetes:master Dec 9, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Dec 9, 2021
This was referenced Dec 9, 2021
Merged
Merged
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106926 from neolit123/automated-cherry-pick-of-#1…
7982660 
…06891-origin-release-1.23

Automated cherry pick of #106891: kubeadm: validate local etcd certficates during
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106924 from neolit123/automated-cherry-pick-of-#1…
0a75cb3 
…06891-origin-release-1.21

Automated cherry pick of #106891: kubeadm: validate local etcd certficates during
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106925 from neolit123/automated-cherry-pick-of-#1…
13fe78d 
…06891-origin-release-1.22

Automated cherry pick of #106891: kubeadm: validate local etcd certficates during
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106923 from neolit123/automated-cherry-pick-of-#1…
8cc1b33 
…06891-origin-release-1.20

Automated cherry pick of #106891: kubeadm: validate local etcd certficates during
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SataQiu SataQiu SataQiu left review comments

@pacoxu pacoxu Awaiting requested review from pacoxu

@RA489 RA489 Awaiting requested review from RA489

Assignees

@SataQiu SataQiu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@neolit123 @k8s-ci-robot @SataQiu @k8s-triage-robot