This repository was archived by the owner on Feb 6, 2025. It is now read-only.
Add kucero addon to auto rotates control plane certificates #1152
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jenting
added
ci-label:go13
jenting
changed the title
added 6 commits
June 11, 2020 16:57
kucero is a KUbernetes CErtificate ROtation focus on kubernetes control plane certificate rotation automatically Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
Add kucero addon to 1.17.4 to force user install kucero addon first before node upgrade. Otherwise, if upgrade control plane node before kucero addon installed, the node's kubelet CSR generated but no kucero signer signs it. Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
jenting
removed
ci-label:go13
Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
innobead
reviewed
Jun 12, 2020
|
|
||
| return nil | ||
| } | ||
|
|
||
| func kubeletConfigure(t *Target, data interface{}) error { |
There was a problem hiding this comment.
Removing kubelet server cert creation and upload is because we enable server rotation so it's expected everything will be setup automatically?
There was a problem hiding this comment.
yes, I intended to add kucero at previous version 1.17.4 is because I want to install kucero first and enable kubelet serverTLSBootstrap: true when cluster upgrade.
|
cc @c3y1huang @cclhsu please help review. thanks. |
c3y1huang
approved these changes
Jun 22, 2020
mmnelemane
pushed a commit
to mmnelemane/skuba
that referenced
this pull request
Jul 3, 2020
* Add a new addon kucero kucero is a KUbernetes CErtificate ROtation focus on kubernetes control plane certificate rotation automatically Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Remove self-signed kubelet server cert Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Enable kubelet server TLS bootstrap for cluster upgrade Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Enable kubelet server TLS bootstrap for cluster init Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Add kucero to 1.17.4 Add kucero addon to 1.17.4 to force user install kucero addon first before node upgrade. Otherwise, if upgrade control plane node before kucero addon installed, the node's kubelet CSR generated but no kucero signer signs it. Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Add copyright year 2020 Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Update test case Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why is this PR needed?
Add kucero as an addon to auto rotates control plane certificates.
kucero includes two components:
refs: https://github.com/SUSE/avant-garde/issues/1632
What does this PR do?
Add kucero as an addon.
Anything else a reviewer needs to know?
We add kucero on both
1.17.4and1.18.2because we want kucero deployed before node upgrade. Add kucero into the previous version make the user have to install kucero addon first.Otherwise, the kubelet server CSR will in pending state since no signer signs the kubelet server certificate.
Info for QA
Previously, the kubelet server certificate is self-signed by skuba with kubelet CA cert/key pair.
With this PR, the kubelet sends server CSR in K8s cluster, and kucero signed the server certificate to kubelet with kubelet CA cert/key pair, then kubelet save the server certificate in
/var/lib/kubelet/pki/kubelet-server-current.pem.Note that, the metrics-server trusted kubelet server certificate by kubelet CA cert.
If the kubelet server certificate signed by other CA, the metrics-server will in CrashLoopBack.
Related info
Packages to be released:
Status BEFORE applying the patch
Status AFTER applying the patch
serverTLSBootstrap: true, and kubelet will send server CSR. Then kucero will sign the kubelet server certificate by kubelet CA cert/key pair and kubelet saves the server certificate in/var/lib/kubelet/pki/kubelet-server-current.pem. The time kubelet send server CSR is handled by kubelet daemon.Docs
SUSE/doc-caasp#879
Merge restrictions
(Please do not edit this)
We are in v4-maintenance phase, so we will restrict what can be merged to prevent unexpected surprises: