Certificate Management with kubeadm

kubernetes / website

Kubernetes website and documentation repo:

https://kubernetes.io

Creative Commons Attribution 4.0 International

4.6k stars 14.49k forks source link

Certificate Management with kubeadm #24189

Closed zgfh closed 3 years ago

zgfh commented 4 years ago

alpha certs renew uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.

https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal

This confuses me,I thought I could not use this command, and I don't know how to keep them in sync. should we add the method how to keep them in sync ?

neolit123 commented 4 years ago

the note says the properties of the certs on disk (such as SAN) will be used for generating the new certs. to "keep them in sync" means that if you generated custom certs using your own process, make sure that e.g. kubeadm-config (ConfigMap) -> ClusterConfiguration -> apiServer -> extraSANs matches the SANs in the kube-apiserver certficate. (or the other way around).

but IIRC, kubeadm ... certs renew fetches the kubeadm ClusterConfiguration before renewing if it can, so the above message seems false / out of date.

/assign @fabriziopandini to double check my understanding.

/triage support /sig cluster-lifecycle

fejta-bot commented 3 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fabriziopandini commented 3 years ago

/remove-lifecycle stale

@neolit123 sorry for the late answer but this got somehow out of my radar.

If I follow the code right, we are still reading certificates details from disk at

https://github.com/kubernetes/kubernetes/blob/ff4234720d4ec390ca6f6aac4c19a21ba6661841/cmd/kubeadm/app/phases/certs/renewal/manager.go#L220

and then using that to build the certificate config at

https://github.com/kubernetes/kubernetes/blob/ff4234720d4ec390ca6f6aac4c19a21ba6661841/cmd/kubeadm/app/phases/certs/renewal/manager.go#L227

neolit123 commented 3 years ago

I guess we can close this then. The IIRC part of my message above is not correct.

/close

k8s-ci-robot commented 3 years ago

@neolit123: Closing this issue.

In response to [this](https://github.com/kubernetes/website/issues/24189#issuecomment-753929452): >I guess we can close this then. >The IIRC part of my message above is not correct. > >/close > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.