Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
None

Activity Type:
Product / Portfolio Work
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
ETCD-445
Story Points:
5

Target Version:
None
Release Blocker:
None
Sprint:
ETCD Sprint 250

After merging ~~ETCD-512~~, we need to ensure the certs are regenerated when the signer changes.

Current logic in library-go only changes when the bundle is updated, which is not sufficient of a criteria for the etcd rotation.

Some initial take: https://github.com/openshift/library-go/pull/1674

discussion in: https://redhat-internal.slack.com/archives/CC3CZCQHM/p1706889759638639

AC:

leaf certs should be checked with AKI/SKI continuously for more robust change detection
leaf certs should be checked that a given signer was actually used to sign a certificate
use a filtered informer for node updates to avoid calling expensive logic too often (https://github.com/openshift/library-go/blob/master/pkg/controller/factory/factory.go#L109C19-L109C46)

duplicates

ETCD-527 [Automated Rotation] ensure bundle rollout before leaf cert re-creation

Closed

links to

openshift/cluster-etcd-operator#1200: ETCD-535: Manual CA rotation should rotate all leaf certs

Assignee:: Thomas Jungblut

Reporter:: Thomas Jungblut

Need Info From:: None

Contributors:: None

QA Contact:: None

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/02/06 11:52 AM

Updated:: 2025/06/27 9:51 AM

Resolved:: 2024/03/26 4:59 PM