Loading...

XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: openshift-4.13
Component/s: kube-apiserver
Labels:
- api

Epic Name:
Fallback (Protocol) for Emergency Certificate Rotation
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Hierarchy Progress:
50
Hierarchy Progress Bar:

50% 50%

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

https://docs.google.com/document/d/198C4xwi5td_V-yS6w-VtwJtudHONq0tbEmjknfccyR0/edit#heading=h.oynu7bkhz613

Goal:

recover the cluster when certs expire while a node is down
should work for OpenShift (both HA and Single)
Ideally, if possible, we want to make it an automated repair process.
cover both rebooted node and suspended node
Evaluate (during the research) effort to provide a mechanism to the admin so he/she can trigger a cert regeneration

Non Goal:

change host name / node identity
make rotation faster
any existing cert we have today should not have modified expiration period

Acceptance Criteria:

documentation with findings
OpenShift KEP

blocks

OCPSTRAT-714 Comprehensive overhaul of handling OCP internal cert & keys

In Progress

is cloned by

OCPSTRAT-642 [Part 1] Fallback (Protocol) for Emergency Certificate Rotation

Closed

is related to

OCPBUGS-30741 kube-scheduled certificates not correctly rotated after restart of cluster powered of for 2 months

API-1687 Impact cert issues after 4.14 to 4.15 upgrade

Review

OCPSTRAT-642 [Part 1] Fallback (Protocol) for Emergency Certificate Rotation

Closed

relates to

API-1376 OpenShift 4.X supports an official process to shut down, restart, and resume an OpenShift cluster from a powered off state, this function should be continuously validated, supported, and guaranteed for consumers for DR and lifecycle use-cases

(1 relates to)

1.	ETCD: Automatic renewal of peer, serving and serving-metrics certificates in case of their expiration	New	Haseeb Tariq
2.	ETCD: Recover the etcd cluster when certificates expire.	New	Unassigned
3.	Add e2e Test	In Progress	Vadim Rutkovsky
4.	Automatic CSR approval for master node/kubelet	Closed	Vadim Rutkovsky
5.	[spike] kube-apiserver automatic reloading of certs	New	Unassigned
6.	[spike] investigate certificate renewal/recovery for components	New	Vadim Rutkovsky
7.	[spike] investigate KCM’s SA signer, rotation might not work but expiry must	New	Vu Dinh
8.	[spike] kubelet dependency on external cloud provider	New	Damien Grisonnet
9.	[spike] investigate kubeconfig renewal	New	Unassigned
10.	[spike] investigate client-go: doesn’t auto-reload (bounded)tokens and CAs	New	Unassigned
11.	design and implement auto approver for kubelet CSRs for worker nodes	New	Unassigned
12.	Implement `workflow-test` for cluster-bot	Closed	Vadim Rutkovsky

Assignee:: Damien Grisonnet

Reporter:: Damien Grisonnet

Votes:: 0 Vote for this issue

Watchers:: 18 Start watching this issue

Created:: 2023/06/08 1:53 PM

Updated:: 2024/04/24 10:27 AM

Details

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates