New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: avoid requiring a CA key during kubeconfig expiration checks #106854
kubeadm: avoid requiring a CA key during kubeconfig expiration checks #106854
Conversation
When the "kubeadm certs check-expiration" command is used and if the ca.key is not present, regular on disk certificate reads pass fine, but fail for kubeconfig files. The reason for the failure is that reading of kubeconfig files currently requires reading both the CA key and cert from disk. Reading the CA is done to ensure that the CA cert in the kubeconfig is not out of date during renewal. Instead of requiring both a CA key and cert to be read, only read the CA cert from disk, as only the cert is needed for kubeconfig files. This fixes printing the cert expiration table even if the ca.key is missing on a host (i.e. the CA is considered external).
/priority important-longterm |
/sig cluster-lifecycle |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
} | ||
rw.caCert = caCert | ||
rw.caCert = caCerts[0] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note, this (and the len(caCerts) != 1
check) is already an assumption in a number of places - e.g
return certs[0], nil |
and applies to CA certs and server/client certs.
tested. |
…06854-origin-release-1.20 Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
…06927-origin-release-1.22 Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
…06927-origin-release-1.21 Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
…06927-origin-release-1.23 Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig
What type of PR is this?
/kind bug
What this PR does / why we need it:
When the "kubeadm certs check-expiration" command is used and
if the ca.key is not present, regular on disk certificate reads
pass fine, but fail for kubeconfig files. The reason for the
failure is that reading of kubeconfig files currently
requires reading both the CA key and cert from disk. Reading the CA
is done to ensure that the CA cert in the kubeconfig is not out of date
during renewal.
Instead of requiring both a CA key and cert to be read, only read
the CA cert from disk, as only the cert is needed for reading kubeconfig files.
This fixes printing the cert expiration table even if the ca.key
is missing on a host (i.e. the CA is considered external).
Which issue(s) this PR fixes:
xref kubernetes/kubeadm#2618
Special notes for your reviewer:
based on this bug i don't think the command worked before without ca.key
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: