Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update apiserver certificate SANs with k8s master IPs #1556

Merged
merged 17 commits into from
Aug 18, 2020
Merged

Update apiserver certificate SANs with k8s master IPs #1556

merged 17 commits into from
Aug 18, 2020

Conversation

atsikham
Copy link
Contributor

@atsikham atsikham commented Aug 12, 2020
edited
Loading

Bug #1520
Changes were made according to design spec. Important note that kubectl will act as before with private IPs if they were not used in ansible inventory, as initially k8s apiserver certificates have only SANs related to current node, for example

DNS:atsikham-update-kubernetes-master-vm-1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, IP Address:10.96.0.1, IP Address:10.1.1.6

Cases that were tested:

  • HA cluster deployment from scratch
  • HA cluster update with old certificate SANs
  • HA cluster update with new certificate SANs
  • promotion to HA of single-master cluster that contains old certificate SANs

Tests were performed with 3-master k8s clusters.
To check that changes work as expected:

openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout | grep DNS:
openssl s_client -connect   <master_ip>:3446 | openssl x509 -noout -text | grep DNS:

tolikt added 16 commits August 11, 2020 14:36
@tolikt
Modified kubeadm config template with extra certificate SANs
795a0ac
@tolikt
Moved certificates related tasks into separate file
aa47855
@tolikt
Moved apiserver certificates part into separate role
b4fec67
@tolikt
Apply new certificates if cluster was initially created without addit…
b39ca7c 
…ional SANs
@tolikt
Apply new certificates if promote_to_ha but cluster was initially cre…
e392356 
…ated without additional SANs
@tolikt
Added quotes for Ansible var
a58aad4
@tolikt
Process all k8s master addresses
eab76c6
@tolikt
Update kubeadm config before new certificates generation
2e60eb0
@tolikt
Moved k8s apiserver role to common role tasks
46589ea
@tolikt
Update in-cluster kubeadm config each time certs generatad
e01ae5f
@tolikt
Placed in-cluster update to separate file in common role
21aa743
@tolikt
Added localhost to apiserver certificate san
f68f656
@tolikt
Renamed apiserver certificates tasks file name according to common pr…
fb911d4 
…actice
@tolikt
Update certifiates for non-designated automation masters
0afe894
@tolikt
Added certificate update part in HA promotion
8818811
@tolikt
Removed duplicated parts and left a comment
5e163df
@atsikham atsikham marked this pull request as ready for review August 13, 2020 14:10
@atsikham atsikham changed the title Issue/kubectl update san Update apiserver certificate SANs with k8s master IPs Aug 13, 2020
jonmurphy407
jonmurphy407 previously approved these changes Aug 14, 2020
View reviewed changes
sk4zuzu
sk4zuzu approved these changes Aug 17, 2020
View reviewed changes
Copy link
Contributor

@sk4zuzu sk4zuzu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have manually tested the following scenarios:

  • multi master deployment (3 instances) ✔️
  • single non-ha master deployment ✔️
  • promotion from single non-ha master ✔️
  • scaling up from single master to multi master (3 instances) ✔️

Code quality seems good, LGTM 👍.

@atsikham atsikham merged commit 379fb2c into hitachienergy:develop Aug 18, 2020
@atsikham atsikham mentioned this pull request Sep 8, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seriva seriva seriva approved these changes

@sk4zuzu sk4zuzu sk4zuzu approved these changes

@jonmurphy407 jonmurphy407 jonmurphy407 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@atsikham @sk4zuzu @seriva @jonmurphy407 @tolikt