Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: remove usage of the "certificates" API for cert renewal #90143

Merged
merged 1 commit into from Jun 5, 2020
Merged

kubeadm: remove usage of the "certificates" API for cert renewal #90143

merged 1 commit into from Jun 5, 2020

Conversation

neolit123
Copy link
Member

What this PR does / why we need it:

WIP: waiting on kubernetes/enhancements#1513 to go GA.

The flag "--use-api" for "alpha certs renew" was deprecated in 1.18.
Remove the flag and related logic that executes certificate renewal
using "api/certificates/v1beta1". kubeadm continues to be able
to create CSR files and renew using the local CA on disk.

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#2047

Special notes for your reviewer:
NONE

Does this PR introduce a user-facing change?:

kubeadm: remove the deprecated "--use-api" flag for "kubeadm alpha certs renew"

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@neolit123
kubeadm: remove usage of the "certificates" API for cert renewal
44638a1 
The flag "--use-api" for "alpha certs renew" was deprecated in 1.18.
Remove the flag and related logic that executes certificate renewal
using "api/certificates/v1beta1". kubeadm continues to be able
to create CSR files and renew using the local CA on disk.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Apr 14, 2020
@neolit123
Copy link
Member Author

/kind deprecation

@k8s-ci-robot k8s-ci-robot added kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Apr 14, 2020
@neolit123
Copy link
Member Author

/priority important-longterm

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Apr 14, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 14, 2020
@neolit123 neolit123 mentioned this pull request Apr 14, 2020
Closed
3 tasks
@neolit123
Copy link
Member Author

/retest

@neolit123 neolit123 mentioned this pull request Jun 4, 2020
Merged
@neolit123 neolit123 changed the title WIP: kubeadm: remove usage of the "certificates" API for cert renewal kubeadm: remove usage of the "certificates" API for cert renewal Jun 4, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 4, 2020
@neolit123
Copy link
Member Author

@kubernetes/sig-cluster-lifecycle-pr-reviews

@liggitt
Copy link
Member

liggitt commented Jun 4, 2020

/retest
/lgtm
/hold for any additional desired reviewers

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 4, 2020
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 4, 2020
rosti
rosti approved these changes Jun 5, 2020
View reviewed changes
Copy link
Contributor

@rosti rosti left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @neolit123 !
/lgtm

I would leave the hold for @fabriziopandini to TAL at it too.

@rosti
Copy link
Contributor

rosti commented Jun 5, 2020

/assign @fabriziopandini

@neolit123
Copy link
Member Author

this PR and the usage in kubeadm partially blocks the pending changes in the certificates API:
#91754
so let's proceed with it.

thanks
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jun 5, 2020
@liggitt
Copy link
Member

liggitt commented Jun 5, 2020

/retest

@k8s-ci-robot k8s-ci-robot merged commit b8b4186 into kubernetes:master Jun 5, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.19 milestone Jun 5, 2020
@github-actions github-actions bot mentioned this pull request Jun 9, 2020
Open
@tibetsam
Copy link

tibetsam commented Mar 4, 2021

could you please update 1.19 documents? it is still using this removed flag.
https://v1-19.docs.kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/

Create certificate signing requests (CSR)
You can create the certificate signing requests for the Kubernetes certificates API with kubeadm alpha certs renew --use-api.

If you set up an external signer such as cert-manager, certificate signing requests (CSRs) are automatically approved. Otherwise, you must manually approve certificates with the kubectl certificate command. The following kubeadm command outputs the name of the certificate to approve, then blocks and waits for approval to occur:

sudo kubeadm alpha certs renew apiserver --use-api &

@neolit123
Copy link
Member Author

neolit123 commented Mar 4, 2021
edited

@tibetsam

thanks for catching that.
reopening kubernetes/kubeadm#2047 to track this.
maybe you can also help us by sending a PR for kubernetes/website?

@tibetsam
Copy link

tibetsam commented Mar 4, 2021

@neolit123 PR was created. FYI. kubernetes/website#26841

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rosti rosti rosti approved these changes

@dixudx dixudx Awaiting requested review from dixudx

@yastij yastij Awaiting requested review from yastij

Assignees

@liggitt liggitt

@rosti rosti

@fabriziopandini fabriziopandini

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.19
Development

Successfully merging this pull request may close these issues.

deprecate and remove '--use-api' for cert renewal
6 participants
@neolit123 @k8s-ci-robot @liggitt @rosti @tibetsam @fabriziopandini