Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
kubeadm: fix certs renewal during upgrade #76862
What type of PR is this?
What this PR does / why we need it:
This PR fixes this by implementing a consistent approach by renewing all the certificates used by one component before upgrading the component itself.
Certificate renewal during kubeadm upgrade is skipped in case of external-ca (because kubeadm can't do certificate renewal without the ca key)
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
neolit123 left a comment
i guess this is the best we can do for upgrade.
i can't find any Printf() for , but i might have missed them.
Apr 22, 2019
In the name of safety we should
this is a valid concern.
i think the PR covers this case?
my vote would be to print the age using the proposed ways using plan and/or e.g
this flag can be removed once we have phases for upgrades.
This is currently satisfied because renewal reads the current certificates as the authoritative source for certificates attributes
kubeadm already detect external CA (when CA key are not provided) and skips certificate renewal
during the discussion, it was decided to always renew certs; additionally, in following PRs, I will provide also a utility for checking certificate age (and possibly integrate this in the kubeadm upgrade output)
Apr 27, 2019
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing
Apr 27, 2019
20 checks passed
I think that we should validate that the internal or external CA is the CA that signed the existing certs before renewing them.
There will be cases where someone has minted the certs for public facing apis and hasn't figured a way to configure kubeadm such that these specific certs are not clobbered.
I'd like for us to explicitly only renew certs if the CA that we have is the one that signed the old cert.
On this case:
My concern is that we have more high value and still very valid certs lying around on disk. If the cert is not set to expire soon and we back it up we should at least inform the user that there are high value tls assets that are still active. With the current TLS implementation there is no Certificate Revocation possible. So any valid cert will continue to extend trust until it is expired.