Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better handle client certificates renewal #5310

Closed
jiayiwang7 opened this issue Mar 20, 2023 · 1 comment
Closed

Better handle client certificates renewal #5310

jiayiwang7 opened this issue Mar 20, 2023 · 1 comment
Assignees
@d8660091
Labels
area/docs Documentation documentation priority/p0 ASAP status/design team/ce
Milestone
v0.17.0

Comments

@jiayiwang7
Copy link
Member

jiayiwang7 commented Mar 20, 2023
edited
Loading

Problems

The client certificates generated in EKS-A cluster expire after one year. The cluster stops functioning when certs expire.

Currently, EKS-A renews the client certificates for control plane(CP) whenever the CP machine is rolled-out and regenerated. Therefore, most users won't encounter certs expiry issue as the cluster shall be upgraded within a year. However, if an EKS-A cluster is never upgraded - i.e. the CP or external ETCD machines are never rotated for a whole year, the client certificates will expire.

Solutions

Though we recommend all users to keep their EKS-A clusters up to date, it is still likely some clusters won't be upgraded for long time. To solve this, we need to:

  1. provide documentation around the client certs manual renewal steps user can follow to renew both CP certs and external ETCD certs (if any) at any time without cluster going down.
  2. provide options to auto-renew all the client certs before they expire. This can be done by rolling out the machines before the certs expiration date, triggering the cert rotation to happen. REF: https://cluster-api.sigs.k8s.io/tasks/certs/auto-rotate-certificates-in-kcp.html

Notice that the CP certs manual/auto renewal process is trivial as it is covered by kubeadm as well as CAPI. But the external ETCD certs management is lacking from etcdadm and etcdadm controllers. We will need to research and potentially implement additional support just for external ETCD certs renewal. Related external ETCD certs issue: #5400
@jiayiwang7 jiayiwang7 modified the milestones: next-patch, v0.16.0 Mar 20, 2023
@jiayiwang7 jiayiwang7 changed the title Document user cert renewal process Document manual cert renewal process Mar 23, 2023
@vignesh-goutham
Copy link
Member

Related issue for Etcd - #5400

We have to do for both kubeadm and etcdadm

@jiayiwang7 jiayiwang7 changed the title Document manual cert renewal process Better handle client certificates renewal Mar 28, 2023
@jiayiwang7 jiayiwang7 mentioned this issue Mar 28, 2023
Closed
@jiayiwang7 jiayiwang7 mentioned this issue Apr 10, 2023
Merged
@d8660091 d8660091 mentioned this issue Apr 24, 2023
Merged
@jiayiwang7 jiayiwang7 modified the milestones: v0.16.0, v0.17.0 May 4, 2023
@jaxesn jaxesn closed this as completed Jun 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d8660091 d8660091

Labels
area/docs Documentation documentation priority/p0 ASAP status/design team/ce
Projects
None yet
Milestone
v0.17.0
Development

No branches or pull requests
5 participants
@drewvanstone @jaxesn @d8660091 @jiayiwang7 @vignesh-goutham