Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to change control plane certificates expiration date #1595

Merged
merged 20 commits into from
Sep 7, 2020
Merged

Ability to change control plane certificates expiration date #1595

merged 20 commits into from
Sep 7, 2020

Conversation

atsikham
Copy link
Contributor

@atsikham atsikham commented Aug 30, 2020
edited
Loading

Changes are related to #1302. Documentation is updated with config description.

NOTE: it is not possible to use openssl_* modules at the moment - #1593
NOTE: kubelet.conf is not updated because according to documentation kubeadm configures kubelet for automatic certificate renewal. To verify that, navigate to /var/lib/kubelet/config.yaml file and check if rotateCertificates is true (default in kubeadm), also check if there are files with dates in /var/lib/kubelet/pki.

Cases need to be tested 'at least':

  • single-master and HA installations
  • renew: true and renew:false with different periods, including default
  • when certificates are updated, they have the same structure and fields as before update:
# useful commands
* kubeadm alpha certs check-expiration

# certificates location - /etc/kubernetes/pki/
* openssl x509 -in apiserver.crt -text -noout

# certificates embed to config files also participate in update process
* grep 'client-certificate-data' /etc/kubernetes/controller-manager.conf | awk '{print $2}' | base64 -d | openssl x509 -text
  • it's possible to renew certs by kubeadm manually after appying configuration by Epiphany: kubeadm alpha certs renew all

@atsikham atsikham marked this pull request as ready for review August 30, 2020 02:48
@atsikham atsikham mentioned this pull request Aug 30, 2020
Closed
@atsikham atsikham requested a review from sk4zuzu August 31, 2020 11:01
@atsikham atsikham changed the title Add ability to change control plane certificates expiration date Added ability to change control plane certificates expiration date Aug 31, 2020
@atsikham atsikham self-assigned this Aug 31, 2020
mkyc
mkyc previously approved these changes Sep 3, 2020
View reviewed changes
Copy link
Contributor

@mkyc mkyc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one question.

docs/home/CERTIFICATES.md Outdated Show resolved Hide resolved
@atsikham atsikham requested a review from mkyc September 4, 2020 08:30
mkyc
mkyc previously approved these changes Sep 4, 2020
View reviewed changes
@przemyslavic
Copy link
Collaborator

/azp run

@sk4zuzu
Copy link
Contributor

sk4zuzu commented Sep 4, 2020

@atsikham I've done some testing on the PR.

root@x1a1:/etc/kubernetes# find . -type f -path '*/pki/*.crt' | while read FILE; do echo $FILE && openssl x509 -in $FILE -text -noout | grep 'Not After'; done
./pki/front-proxy-client.crt
            Not After : Nov 12 12:13:28 2020 GMT
./pki/apiserver.crt
            Not After : Nov 12 12:13:27 2020 GMT
./pki/etcd/server.crt
            Not After : Nov 12 12:13:28 2020 GMT
./pki/etcd/healthcheck-client.crt
            Not After : Nov 12 12:13:27 2020 GMT
./pki/etcd/ca.crt
            Not After : Sep  2 10:00:49 2030 GMT
./pki/etcd/peer.crt
            Not After : Nov 12 12:13:28 2020 GMT
./pki/ca.crt
            Not After : Sep  2 10:00:48 2030 GMT
./pki/apiserver-etcd-client.crt
            Not After : Nov 12 12:13:27 2020 GMT
./pki/front-proxy-ca.crt
            Not After : Sep  2 10:00:48 2030 GMT
./pki/apiserver-kubelet-client.crt
            Not After : Nov 12 12:13:27 2020 GMT
root@x1a1:/etc/kubernetes# cd ../kubernetes-previous/
root@x1a1:/etc/kubernetes-previous# find . -type f -path '*/pki/*.crt' | while read FILE; do echo $FILE && openssl x509 -in $FILE -text -noout | grep 'Not After'; done
./pki/front-proxy-client.crt
            Not After : Sep  4 10:00:49 2021 GMT
./pki/apiserver.crt
            Not After : Sep  4 11:42:01 2021 GMT
./pki/etcd/server.crt
            Not After : Sep  4 10:00:49 2021 GMT
./pki/etcd/healthcheck-client.crt
            Not After : Sep  4 10:00:50 2021 GMT
./pki/etcd/ca.crt
            Not After : Sep  2 10:00:49 2030 GMT
./pki/etcd/peer.crt
            Not After : Sep  4 10:00:50 2021 GMT
./pki/ca.crt
            Not After : Sep  2 10:00:48 2030 GMT
./pki/apiserver-etcd-client.crt
            Not After : Sep  4 10:00:50 2021 GMT
./pki/front-proxy-ca.crt
            Not After : Sep  2 10:00:48 2030 GMT
./pki/apiserver-kubelet-client.crt
            Not After : Sep  4 10:00:48 2021 GMT

The bottom one is default renew: false, the upper one is renew: true + expiration_days: 69.
It seems all certs are updated and the time period is correct.
Good work! 👍

@atsikham atsikham requested review from mkyc and sk4zuzu September 6, 2020 22:39
@atsikham atsikham changed the title Added ability to change control plane certificates expiration date Ability to change control plane certificates expiration date Sep 6, 2020
sk4zuzu
sk4zuzu approved these changes Sep 7, 2020
View reviewed changes
Copy link
Contributor

@sk4zuzu sk4zuzu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

mkyc
mkyc approved these changes Sep 7, 2020
View reviewed changes
Copy link
Contributor

@mkyc mkyc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@atsikham atsikham merged commit 7ceffe5 into hitachienergy:develop Sep 7, 2020
@atsikham atsikham mentioned this pull request Sep 8, 2020
Merged
This was referenced Oct 26, 2020
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkyc mkyc mkyc approved these changes

@sk4zuzu sk4zuzu sk4zuzu approved these changes

Assignees

@atsikham atsikham

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@atsikham @przemyslavic @sk4zuzu @mkyc