kubernetes apiserver certificate needs rotation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Mingyuan Qi |
Bug Description
Brief Description
-----------------
When the apiserver/
Severity
--------
Critical
Steps to Reproduce
------------------
Install and configure an AIO-SX system
Verify the expiry of the apiserver certificate with `openssl x509 -noout -text -in /etc/kubernetes
Set the date of the system to later than the certificate expiry
Expected Behavior
------------------
Sometime before the expiry a new certificate needs to be generated.
Actual Behavior
----------------
Kubelet can not connect to the apiserver as the certificate is no longer valid.
Reproducibility
---------------
100%
System Configuration
-------
All systems
Branch/Pull Time/Commit
-------
20190728T233000Z
Last Pass
---------
NA
Timestamp/Logs
--------------
controller-
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5878483830693726211 (0x519491e60260
Signature Algorithm: sha256WithRSAEn
Issuer: CN=kubernetes
Validity
Not Before: Jul 25 21:06:05 2019 GMT
Not After : Jul 24 21:06:05 2020 GMT
Subject: CN=kube-apiserver
...
controller-
Fri Jul 24 21:00:02 UTC 2020
controller-
Fri Jul 24 21:07:18 UTC 2020
controller-
Unable to connect to the server: x509: certificate has expired or is not yet valid
Test Activity
-------------
Developer Testing
tags: | added: stx.2.0 stx.config stx.containers |
Changed in starlingx: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in starlingx: | |
assignee: | nobody → Mingyuan Qi (myqi) |
tags: | added: in-r-stx20 in-r-stx30 |
tags: | added: stx.4.0 |
Successfully updated apiserver, controller-manager, scheduler, kubelet, kubectl certificate manually. Figuring out an approach to automatically detect certificate expiration.