-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
Strategic Product Work
-
5
-
False
-
None
-
False
-
OCPSTRAT-1104 - [etcd] manual rotation of etcd signer certs when the cluster is still online
-
-
-
ETCD Sprint 250
After merging ETCD-512, we need to ensure the certs are regenerated when the signer changes.
Current logic in library-go only changes when the bundle is updated, which is not sufficient of a criteria for the etcd rotation.
Some initial take: https://github.com/openshift/library-go/pull/1674
discussion in: https://redhat-internal.slack.com/archives/CC3CZCQHM/p1706889759638639
AC:
- leaf certs should be checked with AKI/SKI continuously for more robust change detection
- leaf certs should be checked that a given signer was actually used to sign a certificate
- use a filtered informer for node updates to avoid calling expensive logic too often (https://github.com/openshift/library-go/blob/master/pkg/controller/factory/factory.go#L109C19-L109C46)
- duplicates
-
-
- Closed
-
- links to