Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regenerate API server serving certificates when upgrading to v1.9 #548

Closed
luxas opened this issue Nov 18, 2017 · 0 comments · Fixed by kubernetes/kubernetes#55998
Closed
Assignees
Labels
area/releasing area/security area/upgrades priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone

Comments

@luxas
Copy link
Member

luxas commented Nov 18, 2017

As kubeadm went beta in v1.6 (March 2016), we have supported upgrading clusters since, and the API server serving certs are valid for one year, we now have to add support for refreshing the API server serving certs when upgrading.
Otherwise we risk having invalid certs at the time v1.10 is released (might be before or after, and consumers might take some time to upgrade to v1.10)

What we basically need to do is nothing else than backing up /etc/kubernetes/pki/apiserver.{crt,key} to an expired directory or something like that, and invoking kubeadm alpha phase certs apiserver internally, just generating the API server serving cert again in cmd/kubeadm/app/phases/upgrade/postupgrade.go

@luxas luxas added this to the v1.9 milestone Nov 18, 2017
@luxas luxas added area/releasing area/security area/upgrades kind/enhancement priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Nov 18, 2017
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Nov 22, 2017
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Regenerate API server serving certificates when upgrading.

**What this PR does / why we need it**:
TODO: 
- [x] check the age of crt.
- [x] check the new version number.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes kubernetes/kubeadm#548

**Special notes for your reviewer**:
/cc @luxas 

**Release note**:

```release-note
NONE
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/releasing area/security area/upgrades priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants