Uploaded image for project: 'OpenShift Etcd'
  1. OpenShift Etcd
  2. ETCD-512

Use the library-go cert rotation controller in etcd-operator

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • 5
    • False
    • None
    • False
    • OCPSTRAT-1104 - [etcd] rotation of etcd signer certs when the cluster is still online
    • ETCD Sprint 247, ETCD Sprint 248, ETCD Sprint 249

      This spike explores using the library-go cert rotation utils in the etcd-operator to replace or augment the existing etcdcertsigner controller.

      https://github.com/openshift/library-go/blob/master/pkg/operator/certrotation/client_cert_rotation_controller.go
      https://github.com/openshift/cluster-etcd-operator/pull/1177

      The goal of this spike is to evaluate if the library-go cert rotation util gives us rotation capabilities for the signer cert along with the peer and server certs.

      There are a couple of issues to explore with the use of the library-go cert signer controller:

      • The etcd cluster is currently configured with a single CA for etcd's peer and server certs, whereas the library-go controller would require using different CAs for the peer and server certs.
      • We also need to consider how upgrades would be handled, i.e if we change to using two new CAs, would our new certsignercontroller handle that transparently?

            tjungblu@redhat.com Thomas Jungblut
            rhn-coreos-htariq Haseeb Tariq
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: