[release-4.10] WINC-687: Windows instances react to kubelet CA rotation #1036
Conversation
This commit changes the transfer function for the SSH connectivity to accept an io.Reader interface instead of the path to a file, which requires expensive IO operation. (cherry picked from commit 9b8e4aa)
This commit consolidates the file checksum validation into the FileExists function, making it an optional functionality that can be re-used. (cherry picked from commit 3c97bbd)
- Adds a function to update the kubelet CA file in a Windows instance. The location and name of the file is fixed to `C:\k\kubelet-ca.crt` by WMCB while setting the kubelet configuration. - Introduces the certificates package with common operations and constants - Adds a new watcher to the ConfigMap controller to react on changes in the serving CA ConfigMap from the Kube API Server - Extends the instanceReconciler with a new capability to reconcile the kubelet CA rotation The proposed implementation does not require node drain or node reboot. When the new CA bundle (kubelet-ca.crt) is updated in the worker node, kubelet detects the change in the file system, reads the certificates from the file, and updates the client configuration. (cherry picked from commit babaf41)
This commit adds an e2e test to cover the kubelet CA rotation. In this case, the rotation is triggered on-demand by setting the annotation `auth.openshift.io/certificate-not-after` to null, the resulting CA bundle is copied to the Windows node, so that the kubelet-ca.crt file must contain the new certificate. (cherry picked from commit d127c21)
|
@jrvaldes: No Bugzilla bug is referenced in the title of this pull request. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/test vsphere-e2e-operator |
|
/test platform-none-vsphere-e2e-operator |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jrvaldes, selansen The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
|
/retest-required Please review the full test history for this PR and help us cut down flakes. |
|
@jrvaldes: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
…jrvaldes/cherry-pick-1013-to-release-4.10 Updated upstream source commit. Commit details follow: Signed-off-by: OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> Project: https://github.com/openshift/windows-machine-config-operator.git Branch: release-4.10 Commit: 7efaecc Author: OpenShift Merge Robot Date: Fri, 29 Apr 2022 00:00:05 -0400 Merge pull request openshift#1036 from jrvaldes/cherry-pick-1013-to-release-4.10 [release-4.10] WINC-687: Windows instances react to kubelet CA rotation Additional included commits: c87a7ff, 41db44f, f29fa4e, 51127f6, d21d5dd, 7743720 Referenced RedHat JIRA issues: WINC-687, WINC-799 automerge: yes x-md5: 8a2334bd91a991b5f05db22b862b0f51 Change-Id: I68dda22563675fd54b7d542cbf3927567826b3c3
This is a manual cherry-pick of #1013