Uploaded image for project: 'OpenShift Etcd'
  1. OpenShift Etcd
  2. ETCD-512

Use the library-go cert rotation controller in etcd-operator


    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Critical Critical
    • None
    • None
    • None
    • 5
    • False
    • None
    • False
    • OCPSTRAT-1104 - [etcd] rotation of etcd signer certs when the cluster is still online
    • ETCD Sprint 247, ETCD Sprint 248, ETCD Sprint 249

      This spike explores using the library-go cert rotation utils in the etcd-operator to replace or augment the existing etcdcertsigner controller.


      The goal of this spike is to evaluate if the library-go cert rotation util gives us rotation capabilities for the signer cert along with the peer and server certs.

      There are a couple of issues to explore with the use of the library-go cert signer controller:

      • The etcd cluster is currently configured with a single CA for etcd's peer and server certs, whereas the library-go controller would require using different CAs for the peer and server certs.
      • We also need to consider how upgrades would be handled, i.e if we change to using two new CAs, would our new certsignercontroller handle that transparently?

            tjungblu@redhat.com Thomas Jungblut
            rhn-coreos-htariq Haseeb Tariq
            0 Vote for this issue
            3 Start watching this issue