Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Labels:
None

Work Type:
BU Product Work
Story Points:
3
Blocked:
False
Blocked Reason:
None
Ready:
False
Epic Link:
Auto-rotation of etcd signer certs
Feature Link:
OCPSTRAT-1422 - [etcd] Automatic rotation of etcd signer certs when the cluster is still online
Intelligence Requested:
Market:

Sprint:
ETCD Sprint 255

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

We shall never allow new leaf certificates to be generated when a revision rollout is in progress AND when the bundle was just changed.

From ~~ETCD-606~~ we know when a bundle has changed, so we can save the current revision in the operator status and only allow leaf updates on the next higher revision.

NOTE: this assumes etcd rolls out slower than apiserver in practice. We should also think about how we can in-cooperate the revision rollout on the apiserver static pods.

links to

openshift/cluster-etcd-operator#1269: ETCD-607: gate leaf cert generation

openshift/cluster-etcd-operator#1275: ETCD-607: gate leaf cert generation (with bundle revision)

Assignee:: Thomas Jungblut

Reporter:: Thomas Jungblut

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/05/27 3:38 PM

Updated:: 2024/09/05 2:47 AM

Resolved:: 2024/06/18 4:44 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates