Uploaded image for project: 'OpenShift API Server'
  1. OpenShift API Server
  2. API-1874 Certificates should rotate without control plane disruptions
  3. API-1613

ETCD: Automatic renewal of peer, serving and serving-metrics certificates in case of their expiration

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • etcd
    • False
    • None
    • False
    • OCPSTRAT-1797 - Hitless TLS Certificate Rotation for Kubernetes API

      Currently, the EtcdCertSigner controller, which is part of the CEO, renews the aforementioned certificates roughly every 3 years. However, if the cluster is offline for a period longer than the certificate's validity, upon restarting the cluster, the controller won't be able to renew the certificates since the operator won't be running at all.

      It seems that we could apply a similar solution to what has been implemented for kube-apiserver.

      The document describing the solution for kube-apiserver in detail is at https://github.com/openshift/enhancements/blob/master/enhancements/kube-apiserver/auto-cert-recovery.md

      The Cert rotation controller is at https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/pkg/operator/certrotationcontroller/certrotationcontroller.go#L69

      The Recovery controller is at  https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/cmd/cluster-kube-apiserver-operator/main.go#LL57C78-L57C86

      The Cert syncer is at https://github.com/openshift/cluster-kube-apiserver-operator/blob/master/cmd/cluster-kube-apiserver-operator/main.go#LL56C16-L56C105 and https://github.com/openshift/library-go/tree/master/pkg/operator/staticpod/certsyncpod

       

      Scope:

      • Applies to peer serving and serving metrics certificates
      • Does not apply to etcd signer and etcd client

       

      Acceptance criteria

      • KEP reviewed and approved
      • The EtcdCertSigner controller is successfully able to renew the peer, serving, and serving-metrics certificates when their validity period expires.
      • The renewal process for certificates is automated and does not require manual intervention, ensuring seamless operation
      • Proper documentation is provided detailing the renewal process and the steps taken by the EtcdCertSigner controller to renew expired certificates when necessary.

              rhn-coreos-htariq Haseeb Tariq
              lszaszki@redhat.com Lukasz Szaszkiewicz
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: