kubelet: wipe/renew self-signed serving certificate #7235
Assignees
Comments
|
Yesterday I learned this is why many set |
ro11net
added a commit
to ro11net/talos
that referenced
this issue
May 18, 2023
Create Azure Community Gallery Image Version on release: - Add /hack/cloud-image-uploader/azure.go - Upload vhd file to container for all architectures - Create managed disk from vhd file for all architectures - Create image version from managed disk for all architectures - Modify /hack/cloud-image-uploader/main.go - Start Community Gallery processes concurently with AWS upload - Modify /hack/cloud-image-uploader/options.go - Add additional Options for Community Gallery processes - Modify .drone.jsonnet to use secrets for environment variables - The following secrets need to be created for this to work: - azure_subscription_id - azure_client_id - azure_client_secret - azure_tenant_id Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: some refactorings Refactor the code. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> chore: document azure pre reqs Add pre-requisite documentation for resources which must be existing in Azure Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: bump deps - github.com/containerd/typeurl to v2.1.1 - github.com/aws/aws-sdk-go to v1.44.264 - alpine to 3.18.0 - node to 20.2.0-alpine - github.com/containernetworking/plugins to v1.3.0 - github.com/docker/docker to v23.0.6+incompatible - github.com/hetznercloud/hcloud-go to v1.45.1 - github.com/insomniacslk/dhcp to v0.0.0-20230516061539-49801966e6cb - github.com/rivo/tview to v0.0.0-20230511053024-822bd067b165 - tools to v1.5.0-alpha.0-7-gd2dde48 - pkgs to v1.5.0-alpha.0-16-g7958db1 Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com> chore: drop deprecated stuff for Talos 1.5 * drop old resources API, which was deprecated long time ago * use bootstrapped event in `talosctl get --watch` to better align columns in the table output Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> fix: refresh kubelet self-issued serving certificates Kubelet doesn't refresh self-issued serving certificates, so force it by removing the cert on each restart. Fix the code which was forcing rejoin when the nodename changes, it was broken, as it was checking serving certificate instead of client certificate. It worked by accident when not using controlplane-issued serving certificates. Fixes siderolabs#7235 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
ro11net
added a commit
to ro11net/talos
that referenced
this issue
May 18, 2023
Create Azure Community Gallery Image Version on release: - Add /hack/cloud-image-uploader/azure.go - Upload vhd file to container for all architectures - Create managed disk from vhd file for all architectures - Create image version from managed disk for all architectures - Modify /hack/cloud-image-uploader/main.go - Start Community Gallery processes concurently with AWS upload - Modify /hack/cloud-image-uploader/options.go - Add additional Options for Community Gallery processes - Modify .drone.jsonnet to use secrets for environment variables - The following secrets need to be created for this to work: - azure_subscription_id - azure_client_id - azure_client_secret - azure_tenant_id Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: some refactorings Refactor the code. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> chore: document azure pre reqs Add pre-requisite documentation for resources which must be existing in Azure Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> feat: create azure community gallery image version on release Create Azure Community Gallery Image Version on release: - Add /hack/cloud-image-uploader/azure.go - Upload vhd file to container for all architectures - Create managed disk from vhd file for all architectures - Create image version from managed disk for all architectures - Modify /hack/cloud-image-uploader/main.go - Start Community Gallery processes concurently with AWS upload - Modify /hack/cloud-image-uploader/options.go - Add additional Options for Community Gallery processes - Modify .drone.jsonnet to use secrets for environment variables - The following secrets need to be created for this to work: - azure_subscription_id - azure_client_id - azure_client_secret - azure_tenant_id Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: some refactorings Refactor the code. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> chore: document azure pre reqs Add pre-requisite documentation for resources which must be existing in Azure Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: bump deps - github.com/containerd/typeurl to v2.1.1 - github.com/aws/aws-sdk-go to v1.44.264 - alpine to 3.18.0 - node to 20.2.0-alpine - github.com/containernetworking/plugins to v1.3.0 - github.com/docker/docker to v23.0.6+incompatible - github.com/hetznercloud/hcloud-go to v1.45.1 - github.com/insomniacslk/dhcp to v0.0.0-20230516061539-49801966e6cb - github.com/rivo/tview to v0.0.0-20230511053024-822bd067b165 - tools to v1.5.0-alpha.0-7-gd2dde48 - pkgs to v1.5.0-alpha.0-16-g7958db1 Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com> chore: drop deprecated stuff for Talos 1.5 * drop old resources API, which was deprecated long time ago * use bootstrapped event in `talosctl get --watch` to better align columns in the table output Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> fix: refresh kubelet self-issued serving certificates Kubelet doesn't refresh self-issued serving certificates, so force it by removing the cert on each restart. Fix the code which was forcing rejoin when the nodename changes, it was broken, as it was checking serving certificate instead of client certificate. It worked by accident when not using controlplane-issued serving certificates. Fixes siderolabs#7235 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
ro11net
added a commit
to ro11net/talos
that referenced
this issue
May 18, 2023
Create Azure Community Gallery Image Version on release: - Add /hack/cloud-image-uploader/azure.go - Upload vhd file to container for all architectures - Create managed disk from vhd file for all architectures - Create image version from managed disk for all architectures - Modify /hack/cloud-image-uploader/main.go - Start Community Gallery processes concurently with AWS upload - Modify /hack/cloud-image-uploader/options.go - Add additional Options for Community Gallery processes - Modify .drone.jsonnet to use secrets for environment variables - The following secrets need to be created for this to work: - azure_subscription_id - azure_client_id - azure_client_secret - azure_tenant_id Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: some refactorings Refactor the code. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> chore: document azure pre reqs Add pre-requisite documentation for resources which must be existing in Azure Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> feat: create azure community gallery image version on release Create Azure Community Gallery Image Version on release: - Add /hack/cloud-image-uploader/azure.go - Upload vhd file to container for all architectures - Create managed disk from vhd file for all architectures - Create image version from managed disk for all architectures - Modify /hack/cloud-image-uploader/main.go - Start Community Gallery processes concurently with AWS upload - Modify /hack/cloud-image-uploader/options.go - Add additional Options for Community Gallery processes - Modify .drone.jsonnet to use secrets for environment variables - The following secrets need to be created for this to work: - azure_subscription_id - azure_client_id - azure_client_secret - azure_tenant_id Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: some refactorings Refactor the code. Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> chore: document azure pre reqs Add pre-requisite documentation for resources which must be existing in Azure Signed-off-by: Christian Rolland <christian.rolland@siderolabs.com> chore: bump deps - github.com/containerd/typeurl to v2.1.1 - github.com/aws/aws-sdk-go to v1.44.264 - alpine to 3.18.0 - node to 20.2.0-alpine - github.com/containernetworking/plugins to v1.3.0 - github.com/docker/docker to v23.0.6+incompatible - github.com/hetznercloud/hcloud-go to v1.45.1 - github.com/insomniacslk/dhcp to v0.0.0-20230516061539-49801966e6cb - github.com/rivo/tview to v0.0.0-20230511053024-822bd067b165 - tools to v1.5.0-alpha.0-7-gd2dde48 - pkgs to v1.5.0-alpha.0-16-g7958db1 Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com> chore: drop deprecated stuff for Talos 1.5 * drop old resources API, which was deprecated long time ago * use bootstrapped event in `talosctl get --watch` to better align columns in the table output Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> fix: refresh kubelet self-issued serving certificates Kubelet doesn't refresh self-issued serving certificates, so force it by removing the cert on each restart. Fix the code which was forcing rejoin when the nodename changes, it was broken, as it was checking serving certificate instead of client certificate. It worked by accident when not using controlplane-issued serving certificates. Fixes siderolabs#7235 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> chore: bump deps - github.com/containerd/typeurl to v2.1.1 - github.com/aws/aws-sdk-go to v1.44.264 - alpine to 3.18.0 - node to 20.2.0-alpine - github.com/containernetworking/plugins to v1.3.0 - github.com/docker/docker to v23.0.6+incompatible - github.com/hetznercloud/hcloud-go to v1.45.1 - github.com/insomniacslk/dhcp to v0.0.0-20230516061539-49801966e6cb - github.com/rivo/tview to v0.0.0-20230511053024-822bd067b165 - tools to v1.5.0-alpha.0-7-gd2dde48 - pkgs to v1.5.0-alpha.0-16-g7958db1 Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com> chore: drop deprecated stuff for Talos 1.5 * drop old resources API, which was deprecated long time ago * use bootstrapped event in `talosctl get --watch` to better align columns in the table output Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> fix: refresh kubelet self-issued serving certificates Kubelet doesn't refresh self-issued serving certificates, so force it by removing the cert on each restart. Fix the code which was forcing rejoin when the nodename changes, it was broken, as it was checking serving certificate instead of client certificate. It worked by accident when not using controlplane-issued serving certificates. Fixes siderolabs#7235 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com>
smira
added a commit
to smira/talos
that referenced
this issue
May 30, 2023
Kubelet doesn't refresh self-issued serving certificates, so force it by removing the cert on each restart. Fix the code which was forcing rejoin when the nodename changes, it was broken, as it was checking serving certificate instead of client certificate. It worked by accident when not using controlplane-issued serving certificates. Fixes siderolabs#7235 Signed-off-by: Andrey Smirnov <andrey.smirnov@talos-systems.com> (cherry picked from commit dd8336c)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
When kubelet is configured to use self-signed serving certificate, it issues one for itself, but never renews it automaitcally.
Talos needs to handle this case.
The text was updated successfully, but these errors were encountered: