Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm: avoid requiring a CA key during kubeconfig expiration checks #106854

Merged
merged 1 commit into from Dec 8, 2021
Merged

kubeadm: avoid requiring a CA key during kubeconfig expiration checks #106854

merged 1 commit into from Dec 8, 2021

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Dec 7, 2021
edited

What type of PR is this?

/kind bug

What this PR does / why we need it:

When the "kubeadm certs check-expiration" command is used and
if the ca.key is not present, regular on disk certificate reads
pass fine, but fail for kubeconfig files. The reason for the
failure is that reading of kubeconfig files currently
requires reading both the CA key and cert from disk. Reading the CA
is done to ensure that the CA cert in the kubeconfig is not out of date
during renewal.

Instead of requiring both a CA key and cert to be read, only read
the CA cert from disk, as only the cert is needed for reading kubeconfig files.

This fixes printing the cert expiration table even if the ca.key
is missing on a host (i.e. the CA is considered external).

Which issue(s) this PR fixes:

xref kubernetes/kubeadm#2618

Special notes for your reviewer:

based on this bug i don't think the command worked before without ca.key

Does this PR introduce a user-facing change?

kubeadm: allow the "certs check-expiration" command to not require the existence of the cluster CA key (ca.key file) when checking the expiration of managed certificates in kubeconfig files.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@neolit123
kubeadm: avoid requiring a CA key during kubeconfig expiration checks
847b2e1 
When the "kubeadm certs check-expiration" command is used and
if the ca.key is not present, regular on disk certificate reads
pass fine, but fail for kubeconfig files. The reason for the
failure is that reading of kubeconfig files currently
requires reading both the CA key and cert from disk. Reading the CA
is done to ensure that the CA cert in the kubeconfig is not out of date
during renewal.

Instead of requiring both a CA key and cert to be read, only read
the CA cert from disk, as only the cert is needed for kubeconfig files.

This fixes printing the cert expiration table even if the ca.key
is missing on a host (i.e. the CA is considered external).
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 7, 2021
@neolit123 neolit123 mentioned this pull request Dec 7, 2021
Closed
@neolit123
Copy link
Member Author

/priority important-longterm
/triage accepted

@k8s-ci-robot k8s-ci-robot added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 7, 2021
@neolit123
Copy link
Member Author

/sig cluster-lifecycle
/area kubeadm

@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. area/kubeadm and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 7, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 7, 2021
neolit123
neolit123 commented Dec 7, 2021
View reviewed changes
cmd/kubeadm/app/phases/certs/renewal/readwriter.go
}
rw.caCert = caCert
rw.caCert = caCerts[0]
Copy link
Member Author

@neolit123 neolit123 Dec 7, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note, this (and the len(caCerts) != 1 check) is already an assumption in a number of places - e.g

kubernetes/cmd/kubeadm/app/phases/certs/renewal/readwriter.go

Line 89 in 847b2e1

return certs[0], nil

and applies to CA certs and server/client certs.

@pacoxu
Copy link
Member

pacoxu commented Dec 8, 2021 

[root@daocloud ~]# mv /root/paco/pki/ca.key ~/
[root@daocloud ~]# kubeadm certs check-expiration  --cert-dir /root/paco/pki
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

failure loading ca certificate authority: failed to load key: couldn't load the private key file /root/paco/pki/ca.key: open /root/paco/pki/ca.key: no such file or directory
To see the stack trace of this error execute with --v=5 or higher
[root@daocloud ~]#
[root@daocloud ~]# ./kubeadm certs check-expiration  --cert-dir /root/paco/pki
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Nov 30, 2022 06:38 UTC   357d                                    yes
apiserver                  Nov 30, 2022 06:38 UTC   357d            ca                      yes
apiserver-etcd-client      Nov 30, 2022 06:38 UTC   357d            etcd-ca                 no
apiserver-kubelet-client   Nov 30, 2022 06:38 UTC   357d            ca                      yes
controller-manager.conf    Nov 30, 2022 06:38 UTC   357d                                    yes
etcd-healthcheck-client    Nov 30, 2022 06:38 UTC   357d            etcd-ca                 no
etcd-peer                  Nov 30, 2022 06:38 UTC   357d            etcd-ca                 no
etcd-server                Nov 30, 2022 06:38 UTC   357d            etcd-ca                 no
front-proxy-client         Nov 30, 2022 06:38 UTC   357d            front-proxy-ca          no
scheduler.conf             Nov 30, 2022 06:38 UTC   357d                                    yes

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Nov 28, 2031 06:38 UTC   9y              yes
etcd-ca                 Nov 28, 2031 06:38 UTC   9y              no
front-proxy-ca          Nov 28, 2031 06:38 UTC   9y              no
[root@daocloud ~]# ls /root/paco/pki
apiserver.crt              apiserver-kubelet-client.crt  front-proxy-ca.crt      sa.key
apiserver-etcd-client.crt  apiserver-kubelet-client.key  front-proxy-ca.key      sa.pub
apiserver-etcd-client.key  ca.crt                        front-proxy-client.crt
apiserver.key              etcd                          front-proxy-client.key

tested.
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 8, 2021
@k8s-ci-robot k8s-ci-robot merged commit 89f5353 into kubernetes:master Dec 8, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.24 milestone Dec 8, 2021
This was referenced Dec 9, 2021
Merged
Merged
This was referenced Dec 9, 2021
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106927 from neolit123/automated-cherry-pick-of-#1…
05b7435 
…06854-origin-release-1.20

Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106930 from neolit123/automated-cherry-pick-of-#1…
ee4feba 
…06927-origin-release-1.22

Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106929 from neolit123/automated-cherry-pick-of-#1…
43a1d59 
…06927-origin-release-1.21

Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
k8s-ci-robot added a commit that referenced this pull request Dec 10, 2021
@k8s-ci-robot
Merge pull request #106931 from neolit123/automated-cherry-pick-of-#1…
122e298 
…06927-origin-release-1.23

Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pacoxu pacoxu Awaiting requested review from pacoxu

@yagonobre yagonobre Awaiting requested review from yagonobre

Assignees

@pacoxu pacoxu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.24
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@neolit123 @k8s-ci-robot @pacoxu