Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regenerate API server serving certificates when upgrading to v1.9 #548

Closed
luxas opened this issue Nov 18, 2017 · 0 comments · Fixed by kubernetes/kubernetes#55998
Closed

Regenerate API server serving certificates when upgrading to v1.9 #548

luxas opened this issue Nov 18, 2017 · 0 comments · Fixed by kubernetes/kubernetes#55998
Assignees
@xiangpengzhao
Labels
area/releasing area/security area/upgrades priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.9

Comments

@luxas
Copy link
Member

luxas commented Nov 18, 2017

As kubeadm went beta in v1.6 (March 2016), we have supported upgrading clusters since, and the API server serving certs are valid for one year, we now have to add support for refreshing the API server serving certs when upgrading.
Otherwise we risk having invalid certs at the time v1.10 is released (might be before or after, and consumers might take some time to upgrade to v1.10)

What we basically need to do is nothing else than backing up /etc/kubernetes/pki/apiserver.{crt,key} to an expired directory or something like that, and invoking kubeadm alpha phase certs apiserver internally, just generating the API server serving cert again in cmd/kubeadm/app/phases/upgrade/postupgrade.go
@luxas luxas added this to the v1.9 milestone Nov 18, 2017
@luxas luxas added area/releasing area/security area/upgrades kind/enhancement priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Nov 18, 2017
@xiangpengzhao xiangpengzhao mentioned this issue Nov 18, 2017
Merged
2 tasks
@luxas luxas mentioned this issue Nov 18, 2017
Closed
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Nov 22, 2017
Merge pull request #55998 from xiangpengzhao/regen-apiserver-crt
991e33d 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Regenerate API server serving certificates when upgrading.

**What this PR does / why we need it**:
TODO: 
- [x] check the age of crt.
- [x] check the new version number.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes kubernetes/kubeadm#548

**Special notes for your reviewer**:
/cc @luxas 

**Release note**:

```release-note
NONE
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xiangpengzhao xiangpengzhao

Labels
area/releasing area/security area/upgrades priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.9
Development

Successfully merging a pull request may close this issue.

Regenerate API server serving certificates when upgrading. xiangpengzhao/kubernetes
2 participants
@luxas @xiangpengzhao