Uploaded image for project: 'OpenShift Etcd'
  1. OpenShift Etcd
  2. ETCD-606

Batch bundle revision rollout

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • Strategic Product Work
    • 3
    • False
    • None
    • False
    • OCPSTRAT-1422 - [etcd] Automatic rotation of etcd signer certs when the cluster is still online
    • ETCD Sprint 254

      Currently a new revision is created when the ca bundle configmaps (etcd-signer / metrics-signer) have changed. 

      As of today, this change is not transactional across invocations of EnsureConfigMapCABundle, meaning that four revisions (at most, one for each function call) could be created. 

      For gating the leaf cert generation on a fixed revision number, it's important to ensure that any bundle change will only ever result in exactly one revision change.

      We currently ensure this for leaf certificates by a single update to "etcd-all-certs", we can use the exact same trick again.

      AC: 

      • create a single revisioned configmap that contains all relevant CA bundles
      • update all static pod manifests to read from that configmap instead of the two existing ones

              tjungblu@redhat.com Thomas Jungblut
              tjungblu@redhat.com Thomas Jungblut
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: