-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
Strategic Product Work
-
3
-
False
-
None
-
False
-
OCPSTRAT-1422 - [etcd] Automatic rotation of etcd signer certs when the cluster is still online
-
-
-
ETCD Sprint 255
We shall never allow new leaf certificates to be generated when a revision rollout is in progress AND when the bundle was just changed.
From ETCD-606 we know when a bundle has changed, so we can save the current revision in the operator status and only allow leaf updates on the next higher revision.
NOTE: this assumes etcd rolls out slower than apiserver in practice. We should also think about how we can in-cooperate the revision rollout on the apiserver static pods.