-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added option to force apiserver and respective client certificate to … #6403
Added option to force apiserver and respective client certificate to … #6403
Conversation
…be regenerated without necessarily needing to bump the K8S cluster version
Hi @pestebogdan. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
@pestebogdan: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @mattymo |
/ok-to-test |
/retest |
1 similar comment
/retest |
This is useful thanks! We don't have a test currently for that, I'll add it to the list in #6400 of CI tests to add |
I see that the I haven't tested it in |
@Miouge1 : From what I tested, re-running cluster.yml does not recreate the certificates (tested latest version and also an old one v2.8.5). |
a task just to renew the certs (without doing kubeadm upgrade) would be indeed handy. Not sure that's the role of cluster.yml though |
I understand your point, but the reason it's there is because it leverages the idempotency of cluster.yml (and kubespray in general) , not having to duplicate code that's already proven to work (SAN modification triggers the same flow); that's why the PR only includes just an extra variable and conditional. |
Kubeadm docs says:
Is this a use case for people who have long lived clusters without upgrades or is that feature not enabled in cluster.yml? |
First one
|
Considering that certificate (expiry and renewal) is a common question, it would be good to add some documentation about the expected behavior and the options available. Would that be something you would be able to do @pestebogdan before we merge this? |
Sure thing. I did put a comment line above the new variable declaration, but i could give more context. I'm new to contributing here, where exactly would that extra documentation need to reside ? |
@pestebogdan I guess you could add something in |
Agreeing with myself, adding this to the todo list. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: floryut, pestebogdan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* 'master' of https://github.com/kubernetes-sigs/kubespray: change owner to root for bin_dir directory (kubernetes-sigs#6814) Modify imagepullpolicy (kubernetes-sigs#6816) fix: add tags for set facts nodelocaldns (kubernetes-sigs#6813) Make reset work for crio (kubernetes-sigs#6812) Added option to force apiserver and respective client certificate to … (kubernetes-sigs#6403) cleanup kubelet_deployment_type (kubernetes-sigs#6815) allow pre-existing floating IPs to be specified with k8s_master_fips (kubernetes-sigs#6755) Fix line-spacing in no_proxy.yml (kubernetes-sigs#6810) Fix handler naming issue for Kubeadm | kubelet (kubernetes-sigs#6803) Disable dashboard by default (kubernetes-sigs#6804) Chmod kubeconfig to avoid group-readable (kubernetes-sigs#6800) Update bunch of dependencies (kubernetes-sigs#6801) If no_proxy_exclude_workers is true, workers will be excluded from the no_proxy variable. This prevents docker engine restarting when scaling workers. (kubernetes-sigs#6520)
kubernetes-sigs#6403) * Added option to force apiserver and respective client certificate to be regenerated without necessarily needing to bump the K8S cluster version * Removed extra blank line
What type of PR is this?
/kind feature
What this PR does / why we need it:
This gives users a way to force regeneration of kube-apiserver certificate (and by the code that's already there , all the relevant client certificates) without the need to upgrade the cluster.
Since certificates are valid for 1 year, some deployments that may not want to upgrade their k8s cluster version might end up broken.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
I added a simple variable named force_certificate_regeneration (default to false) that the users may set to True during a subsequent run of cluster.yml in order to force apiserver certificate regeneration flow.
Does this PR introduce a user-facing change?:
Add force_certificate_regeneration variable