StarlingX

Kubernetes cluster certificate rotation

Bug #1834685 reported by Brent Rowsell on 2019-06-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	David Sullivan

Bug Description

Brief Description
-----------------
The Kubernetes internal cluster certificate currently is not set up to rotate and will expire after a year.
Rotation needs to be enabled and the expiry set up for one month vs. one year.

Severity
--------
Major for long term deployments

Expected Behavior
------------------
Rotation needs to be enabled and the expiry set up for 1 month vs. 1 year.

Actual Behavior
----------------
The certificate is not rotated and will expire in one year

Reproducibility
---------------
100%

System Configuration
--------------------
Any configuration

Branch/Pull Time/Commit
-----------------------
any build with containerization

See original description

Tags:

Revision history for this message

Ghada Khalil (gkhalil) wrote on 2019-06-28:

Marking as stx.2.0 - the k8s cluster will shutdown after the certificate expires

summary:	- Kubernetes certificate rotation + Kubernetes cluster certificate rotation
tags:	added: stx.2.0 stx.containers
description:	updated
Changed in starlingx:
status:	New → Triaged
importance:	Undecided → High
importance:	High → Medium
assignee:	nobody → Bart Wensley (bartwensley)

Ghada Khalil (gkhalil) on 2019-06-28

description:

updated

Ghada Khalil (gkhalil) on 2019-07-09

Changed in starlingx:
assignee:	Bart Wensley (bartwensley) → David Sullivan (dsullivanwr)

Revision history for this message

Frank Miller (sensfan22) wrote on 2019-07-23:

Reviewed by the containers PL (Frank) and TL (Brent) and changed priority to high. Without a fix for this LP , the system will shutdown after 1 year and not be recoverable. As such this is required for stx.2.0.

Changed in starlingx:
importance:	Medium → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-30: Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/673617

Changed in starlingx:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-07-30: Fix merged to config (master)

Reviewed: https://review.opendev.org/673617
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=1cf4bd208575f03e5df5955e2d472710c07913b3
Submitter: Zuul
Branch: master

commit 1cf4bd208575f03e5df5955e2d472710c07913b3
Author: David Sullivan <email address hidden>
Date: Mon Jul 29 22:45:51 2019 -0400

Set kubelet certificate rotation to 1 month

    Use the experimental-cluster-signing-duration parameter to set the
    kubelet certificate to expire after 1 month. Kubelet certificate
    rotation is enabled by default.

    Closes-Bug: 1834685
    Change-Id: Ie5b91a86c1a1b536e51719dad99be0cc89d65722
    Signed-off-by: David Sullivan <email address hidden>

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.