Kubeadm Cert Renewal #67910
Kubeadm Cert Renewal #67910
Conversation
k8s-ci-robot
added
release-note-none
k8s-ci-robot
added
area/kubeadm
sig/cluster-lifecycle
k8s-ci-robot
added
release-note
|
|
||
| key, err := certutil.NewPrivateKey() | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("Couldn't create new private key: %v", err) |
There was a problem hiding this comment.
b/c these files are net new, definitely use errors.Wrap here.
| if ev.Type != watch.Modified { | ||
| return nil, nil, fmt.Errorf("unexpected event receieved: %q", ev.Type) | ||
| } | ||
| case <-time.After(watchTimeout): |
There was a problem hiding this comment.
I have to dig-up a different example for you here, but this looks a little weird.
| select { | ||
| case ev := <-watcher.ResultChan(): | ||
| if ev.Type != watch.Modified { | ||
| return nil, nil, fmt.Errorf("unexpected event receieved: %q", ev.Type) |
There was a problem hiding this comment.
receieved -> received.
optionally %q -> %s
|
|
||
| // TODO: under what circumstances are there more than one? | ||
| if status := req.Status.Conditions[0].Type; status != certsapi.CertificateApproved { | ||
| return nil, nil, fmt.Errorf("Unexpected certificate status %v", status) |
There was a problem hiding this comment.
Unexpected -> unexpected
status %v -> status: %v
| client certstype.CertificatesV1beta1Interface | ||
| } | ||
|
|
||
| // NewCertsAPIRenawal takes a certificate pair to construct the Interface. |
There was a problem hiding this comment.
-> takes a client Interface and returns a renewal Interface?
|
|
||
| key, err := certutil.NewPrivateKey() | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("Couldn't create new private key: %v", err) |
|
|
||
| csr, err := x509.CreateCertificateRequest(rand.Reader, reqTmp, key) | ||
| if err != nil { | ||
| return nil, nil, fmt.Errorf("Couldn't create csr: %v", err) |
There was a problem hiding this comment.
Couldn't -> couldn't
csr -> certificate signing request?
| for i, usage := range cfg.Usages { | ||
| certsAPIUsage, ok := usageMap[usage] | ||
| if !ok { | ||
| return nil, nil, fmt.Errorf("unknown key usage %v", usage) |
| func (r *FileRenewal) Renew(cfg *certutil.Config) (*x509.Certificate, crypto.PrivateKey, error) { | ||
| caKey, ok := r.caKey.(*rsa.PrivateKey) | ||
| if !ok { | ||
| return nil, nil, fmt.Errorf("unsupported private key type %t", r.caKey) |
There was a problem hiding this comment.
this would print the whole private key which can be quite long.
i would go for something like:
unsupported private key type. Only RSA is supported
k8s-ci-robot
added
size/XL
| Organization: cfg.Organization, | ||
| }, | ||
| DNSNames: cfg.AltNames.DNSNames, | ||
| IPAddresses: cfg.AltNames.IPs, |
There was a problem hiding this comment.
One bad thing is that x509.CertificateRequest doesn't validate what kind of IPs are requested in certificates. I think on our side we should be doing some validation that certificates that we request don't have some weird IPs in it.
There was a problem hiding this comment.
The source of these IPs is the existing, on-disk certificates. What IPs are you worried about?
k8s-ci-robot
added
sig/api-machinery
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/test pull-kubernetes-bazel-test |
|
/test pull-kubernetes-e2e-kops-aws |
k8s-ci-robot
added
the
lgtm
timothysc
added
kind/feature
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: liztio, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. |
What this PR does / why we need it:
adds explicit support for renewal of certificates via command
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes kubernetes/kubeadm#206
Special notes for your reviewer:
The targeted documentation is at kubernetes/website#9712
Release note: