Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm: renew certificates embedded in kubeconfig files #77180

Merged

Conversation

@fabriziopandini
Copy link
Member

commented Apr 28, 2019

What type of PR is this?
/kind feature

What this PR does / why we need it:
as of today, kubeadm does not implement support for the renewal of certificates embedded in KubeConfig files (generated by kubeadm itself).

This PR fixes this by implementing:

  • new subcommands in kubeadm alpha certs renew for the renewal of certificates embedded in KubeConfig files
  • automatic the renewal of certificates embedded in KubeConfig files during kubeadm upgrade

In both cases, renewal is executed only if the CA is managed by kubeadm

Which issue(s) this PR fixes:
Rif kubernetes/kubeadm#1361

Does this PR introduce a user-facing change?:

kubeadm: kubeadm alpha certs renew and kubeadm upgrade now supports renews of certificates embedded in KubeConfig files managed by kubeadm; this does not apply to certificates signed by external CAs. 

/sig cluster-lifecycle
/area kubeadm
/priority important-soon
@kubernetes/sig-cluster-lifecycle-pr-reviews
/cc @mauilion

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Apr 28, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@neolit123
Copy link
Member

left a comment

nicely done @fabriziopandini
added minor copy-edit comments.

cmd/kubeadm/app/phases/certs/renewal/renewal_test.go Outdated Show resolved Hide resolved
@@ -214,21 +220,136 @@ func TestRenewExistingCert(t *testing.T) {
t.Fatalf("couldn't write out certificate")
}

// makes some time pass
time.Sleep(1 * time.Second)

This comment has been minimized.

Copy link
@neolit123

neolit123 Apr 28, 2019

Member

did you observe flakes if there is no sleep here?
[1]

This comment has been minimized.

Copy link
@fabriziopandini

fabriziopandini Apr 30, 2019

Author Member

yes, sometimes it flakes without sleep because of Cert.NotAfter is the same in old/new certs if we are too fast

This comment has been minimized.

Copy link
@rosti

rosti May 3, 2019

Member

We should probably expose some funcs in the pki helpers that allow us to specify NotBefore & NotAfter for test purposes. But that's a job for another PR.

cmd/kubeadm/app/phases/certs/renewal/renewal_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/phases/upgrade/staticpods.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/phases/upgrade/staticpods_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/phases/upgrade/staticpods_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/phases/upgrade/staticpods_test.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/phases/upgrade/staticpods_test.go Outdated Show resolved Hide resolved

@fabriziopandini fabriziopandini force-pushed the fabriziopandini:renew-embedded-certs branch from f0ebb8e to b7a985d Apr 30, 2019

@k8s-ci-robot k8s-ci-robot added size/XL and removed size/L labels Apr 30, 2019

@timothysc
Copy link
Member

left a comment

Bunch of comments.

cfg: kubeadmapiv1beta2.InitConfiguration{
ClusterConfiguration: kubeadmapiv1beta2.ClusterConfiguration{
// Setting kubernetes version to a default value in order to allow a not necessary internet lookup
KubernetesVersion: fmt.Sprintf("v%s", kubeadmconstants.CurrentKubernetesVersion),

This comment has been minimized.

Copy link
@timothysc

timothysc May 1, 2019

Member

It's a little weird that this is here.

This comment has been minimized.

Copy link
@rosti

rosti May 3, 2019

Member

No need for Sprintf here, just constants.CurrentKubernetesVersion.String() should do the trick.

This comment has been minimized.

Copy link
@fabriziopandini

fabriziopandini May 6, 2019

Author Member

yep, it is a bit weird, but ATM it is the workaround used to get commands which don't use the KubernetesVersion to work in air-gapped environments

cmd/kubeadm/app/cmd/alpha/certs.go Outdated Show resolved Hide resolved
cmd/kubeadm/app/cmd/alpha/certs.go Outdated Show resolved Hide resolved
}

// get current context
if _, ok := config.Contexts[config.CurrentContext]; !ok {

This comment has been minimized.

Copy link
@timothysc

timothysc May 1, 2019

Member

What's the behavior here is there are multiple contexts?

This comment has been minimized.

Copy link
@fabriziopandini

fabriziopandini May 6, 2019

Author Member

Good catch! Fixed. Now the renew only updates the client certificate for the current context, but everything else is preserved

cmd/kubeadm/app/phases/certs/renewal/renewal.go Outdated Show resolved Hide resolved
@rosti
Copy link
Member

left a comment

Thanks @fabriziopandini !
Overall looks OK at a first pass.

cfg: kubeadmapiv1beta2.InitConfiguration{
ClusterConfiguration: kubeadmapiv1beta2.ClusterConfiguration{
// Setting kubernetes version to a default value in order to allow a not necessary internet lookup
KubernetesVersion: fmt.Sprintf("v%s", kubeadmconstants.CurrentKubernetesVersion),

This comment has been minimized.

Copy link
@rosti

rosti May 3, 2019

Member

No need for Sprintf here, just constants.CurrentKubernetesVersion.String() should do the trick.

@@ -214,21 +220,136 @@ func TestRenewExistingCert(t *testing.T) {
t.Fatalf("couldn't write out certificate")
}

// makes some time pass
time.Sleep(1 * time.Second)

This comment has been minimized.

Copy link
@rosti

rosti May 3, 2019

Member

We should probably expose some funcs in the pki helpers that allow us to specify NotBefore & NotAfter for test purposes. But that's a job for another PR.

@fabriziopandini fabriziopandini force-pushed the fabriziopandini:renew-embedded-certs branch from b7a985d to 3076644 May 6, 2019

@fabriziopandini

This comment has been minimized.

Copy link
Member Author

commented May 6, 2019

@rosti @timothysc thanks for the feedbacks
Everything should be addressed now

@fabriziopandini

This comment has been minimized.

Copy link
Member Author

commented May 6, 2019

/test pull-kubernetes-e2e-gce-100-performance

@neolit123
Copy link
Member

left a comment

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label May 6, 2019

@k8s-ci-robot k8s-ci-robot merged commit f9c9ecd into kubernetes:master May 6, 2019

20 checks passed

cla/linuxfoundation fabriziopandini authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
@luxas

This comment has been minimized.

Copy link
Member

commented May 8, 2019

Thanks @fabriziopandini!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.