-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
BU Product Work
-
2
-
False
-
None
-
False
-
OCPSTRAT-1104 - [etcd] manual rotation of etcd signer certs when the cluster is still online
-
-
-
ETCD Sprint 249, ETCD Sprint 250
Refactoring in ETCD-512 does not clean up certificates that are dynamically generated. Imagine you're recreating all your master nodes everyday, we would create new peer/serving/metrics certificates for each node and never clean them up.
We should try to be conservative when cleaning them up, so keep them around for a certain retention period (7-10 days?) after the node went away.
AC:
- CEO should clean up old-enough "node" certificates