New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ETCD-535: Manual CA rotation should rotate all leaf certs #1200
Conversation
@tjungblu: This pull request references ETCD-535 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test e2e-operator |
/test e2e-operator |
1 similar comment
/test e2e-operator |
/test e2e-operator |
/test unit |
/test e2e-operator |
/test e2e-operator |
6d6535a
to
5a012c2
Compare
/test e2e-operator |
1 similar comment
/test e2e-operator |
6540a25
to
9d46a0d
Compare
/test e2e-operator |
/test e2e-operator |
@tjungblu: This pull request references ETCD-535 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
9d46a0d
to
2920875
Compare
2920875
to
141ba69
Compare
db8112d
to
ba6481c
Compare
@tjungblu: This pull request references ETCD-535 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@tjungblu: This pull request references ETCD-535 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test e2e-operator |
type CARotatingTargetCertCreator struct { | ||
certrotation.TargetCertCreator | ||
} | ||
|
||
func (c *CARotatingTargetCertCreator) NeedNewTargetCertKeyPair( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I get that we're overriding the NeedNewTargetCertKeyPair()
method here to check the extra constraints on the signer not matching to trigger rotation.
Shouldn't we be using CARotatingTargetCertCreator
somewhere then?
e.g:
https://github.com/openshift/cluster-etcd-operator/blob/master/pkg/tlshelpers/tlshelpers.go#L216
or
https://github.com/openshift/cluster-etcd-operator/blob/master/pkg/tlshelpers/tlshelpers.go#L109
(Unless I'm being dense and missing where we have that already).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LOL you're right. Sorry, I'll get that done throughout the day.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Signed-off-by: Thomas Jungblut <tjungblu@redhat.com>
/hold cancel |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hasbro17, tjungblu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@tjungblu: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/override ci/prow/e2e-operator-fips unrelated OLM failure |
@tjungblu: Overrode contexts on behalf of tjungblu: ci/prow/e2e-operator-fips In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I'm going to set this label to not let a full week of CI run data go to waste - sorry it took so long to retest and eventually get here /label acknowledge-critical-fixes-only |
sigh, another retest for today 🥱 |
eeef803
into
openshift:master
[ART PR BUILD NOTIFIER] This PR has been included in build cluster-etcd-operator-container-v4.16.0-202403180813.p0.geeef803.assembly.stream.el9 for distgit cluster-etcd-operator. |
/hold
The cool thing is that we're now able to "swap" signers with the existing logic with:
which is effectively overwriting the new signer from
openshift-etcd
into the old signer inopenshift-config
. That works, because the bundle with the new signer is already distributed to all CP nodes. CEO will then proceed to rewrite all leaf certs, which are then rolled out together viaetcd-all-certs
.Manual rotation is then just two step manual process:
Generate new signer:
... wait for the rollout ...
Replace the old signer with the new signer: