StarlingX

show-certs.sh is not able to print kubernetes certificates since the k8s upversion to 1.26.1

Bug #2047859 reported by Reinildes Oliveira
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Reinildes Oliveira

Bug Description

Brief Description
-------------------------------------------

show-certs.sh is not able to print kubernetes certificates since k8s 1.26.1

Severity
-------------------------------------------

Provide the severity of the defect.
<Major: System/Feature is usable but degraded>

Steps to Reproduce
-------------------------------------------

1. In a recent load with k8s 1.26.1
2. run 'sudo show-certs.sh'

Expected Behavior
-------------------------------------------

{code:java}
sysadmin@controller-0:~$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"8f94681cd294aa8cfd3407b8191f6c70214973a4", GitTreeState:"archive", BuildDate:"2023-12-12T01:01:28Z", GoVersion:"go1.19.8", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"8f94681cd294aa8cfd3407b8191f6c70214973a4", GitTreeState:"clean", BuildDate:"2023-01-18T15:51:25Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}
sysadmin@controller-0:~$ sudo show-certs.sh
Password:

 docker_registry (deployment/system-registry-local-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/ssl/private/registry-cert.crt
  Subject : CN = new-registry-reinildes
  Issuer : CN = starlingx
  Issue Date : Nov 21 11:28:29 2034 GMT
  Expiry Date : Dec 21 11:28:29 2034 GMT
  Residual Time : 15d

 local-openldap (deployment/system-openldap-local-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/ldap/certs/openldap-cert.crt
  Subject : CN = system-openldap
  Issuer : CN = starlingx
  Issue Date : Nov 21 11:11:38 2034 GMT
  Expiry Date : Feb 19 11:11:38 2035 GMT
  Residual Time : 75d

 /opt/platform/config/23.09/ssl_ca/ssl_ca_10076021394652733954 CERTIFICATE:
 ------------------------------------------
  Renewal : Manual
  Filename : /opt/platform/config/23.09/ssl_ca/ssl_ca_10076021394652733954
  Subject : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
  Issuer : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
  Issue Date : Jun 21 17:46:14 2021 GMT
  Expiry Date : Sep 7 17:46:14 2032 GMT
  Residual Time : -818d

 DC-AdminEp-RootCA (dc-cert/dc-adminep-root-ca-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/pki/ca-trust/source/anchors/dc-adminep-root-ca.crt
  Subject : OU = StarlingX DC Root CA, CN = 192.168.0.2
  Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
  Issue Date : Nov 21 11:11:32 2034 GMT
  Expiry Date : Nov 20 11:11:32 2039 GMT
  Residual Time : 1810d

 DC-AdminEp-Server (dc-cert/dc-adminep-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/ssl/private/admin-ep-cert.pem
  Subject : CN = 192.168.0.2
  Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
  Issue Date : Nov 21 11:11:38 2034 GMT
  Expiry Date : May 20 11:11:38 2035 GMT
  Residual Time : 165d

 Kubernetes CERTIFICATES:
 ------------------------------------------
Note: 'CERTIFICATES' are Renewal: Automatic
Note: 'CERTIFICATE AUTHORITIES' are Renewal: Manual
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 23, 2035 20:29 UTC 353d ca no
apiserver Nov 23, 2035 20:29 UTC 353d ca no
apiserver-kubelet-client Nov 23, 2035 20:29 UTC 353d ca no
controller-manager.conf Nov 23, 2035 20:29 UTC 353d ca no
front-proxy-client Nov 23, 2035 20:29 UTC 353d front-proxy-ca no
scheduler.conf Nov 23, 2035 20:29 UTC 353d ca no

CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 20, 2044 20:29 UTC 9y no
front-proxy-ca Nov 20, 2044 20:29 UTC 9y no

 etcd CA certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Manual
  Filename : /etc/etcd/ca.crt
  Subject : CN = etcd
  Issuer : CN = etcd
  Issue Date : Nov 23 20:29:14 2034 GMT
  Expiry Date : Nov 20 20:29:14 2044 GMT
  Residual Time : 3638d

 etcd client certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic
  Filename : /etc/etcd/etcd-client.crt
  Subject : CN = root
  Issuer : CN = etcd
  Issue Date : Dec 5 00:10:05 2034 GMT
  Expiry Date : Dec 5 00:10:05 2035 GMT
  Residual Time : 364d

 etcd server certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic
  Filename : /etc/etcd/etcd-server.crt
  Subject : CN = etcd-server
  Issuer : CN = etcd
  Issue Date : Dec 5 00:10:04 2034 GMT
  Expiry Date : Dec 5 00:10:04 2035 GMT
  Residual Time : 364d

 etcd apiserver client certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic
  Filename : /etc/kubernetes/pki/apiserver-etcd-client.crt
  Subject : CN = apiserver-etcd-client
  Issuer : CN = etcd
  Issue Date : Dec 5 00:10:03 2034 GMT
  Expiry Date : Dec 5 00:10:03 2035 GMT
  Residual Time : 364d

 kubelet client CERTIFICATE:
 ------------------------------------------
  Renewal : Automatically by k8s
  Filename : /var/lib/kubelet/pki/kubelet-client-current.pem
  Subject : O = system:nodes, CN = system:node:controller-0
  Issuer : CN = starlingx
  Issue Date : Nov 21 11:05:50 2034 GMT
  Expiry Date : Nov 21 11:05:50 2035 GMT
  Residual Time : 350d

{code}

Actual Behavior
-------------------------------------------

{code:java}
sysadmin@controller-0:~$ kubectl version
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"8f94681cd294aa8cfd3407b8191f6c70214973a4", GitTreeState:"archive", BuildDate:"2023-12-12T01:01:28Z", GoVersion:"go1.19.8", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.1", GitCommit:"8f94681cd294aa8cfd3407b8191f6c70214973a4", GitTreeState:"clean", BuildDate:"2023-01-18T15:51:25Z", GoVersion:"go1.19.5", Compiler:"gc", Platform:"linux/amd64"}
sysadmin@controller-0:~$ sudo show-certs.sh
Password:

 docker_registry (deployment/system-registry-local-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/ssl/private/registry-cert.crt
  Subject : CN = new-registry-reinildes
  Issuer : CN = starlingx
  Issue Date : Nov 21 11:28:29 2034 GMT
  Expiry Date : Dec 21 11:28:29 2034 GMT
  Residual Time : 15d

 local-openldap (deployment/system-openldap-local-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/ldap/certs/openldap-cert.crt
  Subject : CN = system-openldap
  Issuer : CN = starlingx
  Issue Date : Nov 21 11:11:38 2034 GMT
  Expiry Date : Feb 19 11:11:38 2035 GMT
  Residual Time : 75d

 /opt/platform/config/23.09/ssl_ca/ssl_ca_10076021394652733954 CERTIFICATE:
 ------------------------------------------
  Renewal : Manual
  Filename : /opt/platform/config/23.09/ssl_ca/ssl_ca_10076021394652733954
  Subject : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
  Issuer : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
  Issue Date : Jun 21 17:46:14 2021 GMT
  Expiry Date : Sep 7 17:46:14 2032 GMT
  Residual Time : -818d

 DC-AdminEp-RootCA (dc-cert/dc-adminep-root-ca-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/pki/ca-trust/source/anchors/dc-adminep-root-ca.crt
  Subject : OU = StarlingX DC Root CA, CN = 192.168.0.2
  Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
  Issue Date : Nov 21 11:11:32 2034 GMT
  Expiry Date : Nov 20 11:11:32 2039 GMT
  Residual Time : 1810d

 DC-AdminEp-Server (dc-cert/dc-adminep-certificate) CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic [Managed by Cert-Manager]
  Filename : /etc/ssl/private/admin-ep-cert.pem
  Subject : CN = 192.168.0.2
  Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
  Issue Date : Nov 21 11:11:38 2034 GMT
  Expiry Date : May 20 11:11:38 2035 GMT
  Residual Time : 165d

 Kubernetes CERTIFICATES:
 ------------------------------------------
Note: 'CERTIFICATES' are Renewal: Automatic
Note: 'CERTIFICATE AUTHORITIES' are Renewal: Manual

Kubeadm experimental sub-commands

 etcd CA certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Manual
  Filename : /etc/etcd/ca.crt
  Subject : CN = etcd
  Issuer : CN = etcd
  Issue Date : Nov 23 20:29:14 2034 GMT
  Expiry Date : Nov 20 20:29:14 2044 GMT
  Residual Time : 3638d

 etcd client certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic
  Filename : /etc/etcd/etcd-client.crt
  Subject : CN = root
  Issuer : CN = etcd
  Issue Date : Dec 5 00:10:05 2034 GMT
  Expiry Date : Dec 5 00:10:05 2035 GMT
  Residual Time : 364d

 etcd server certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic
  Filename : /etc/etcd/etcd-server.crt
  Subject : CN = etcd-server
  Issuer : CN = etcd
  Issue Date : Dec 5 00:10:04 2034 GMT
  Expiry Date : Dec 5 00:10:04 2035 GMT
  Residual Time : 364d

 etcd apiserver client certificate CERTIFICATE:
 ------------------------------------------
  Renewal : Automatic
  Filename : /etc/kubernetes/pki/apiserver-etcd-client.crt
  Subject : CN = apiserver-etcd-client
  Issuer : CN = etcd
  Issue Date : Dec 5 00:10:03 2034 GMT
  Expiry Date : Dec 5 00:10:03 2035 GMT
  Residual Time : 364d

 kubelet client CERTIFICATE:
 ------------------------------------------
  Renewal : Automatically by k8s
  Filename : /var/lib/kubelet/pki/kubelet-client-current.pem
  Subject : O = system:nodes, CN = system:node:controller-0
  Issuer : CN = starlingx
  Issue Date : Nov 21 11:05:50 2034 GMT
  Expiry Date : Nov 21 11:05:50 2035 GMT
  Residual Time : 350d

{code}

Reproducibility
-------------------------------------------
100%

System Configuration
-------------------------------------------
Any system type:

{code:java}
sysadmin@controller-0:~$ cat /etc/build.info
SW_VERSION="23.09"
BUILD_TARGET="Host Installer"
BUILD_TYPE="Formal"
BUILD_ID="2023-12-11_19-00-09"
SRC_BUILD_ID="1592"

JOB="wrcp-master-debian"
BUILD_BY="jenkins"
BUILD_NUMBER="585"
BUILD_HOST="yow-wrcp-lx.wrs.com"
BUILD_DATE="2023-12-12 00:00:09 +0000"
{code}

Last Pass
-------------------------------------------

N/A

Timestamp/Logs
-------------------------------------------

N/A

Alarms
-------------------------------------------
N/A

Test Activity
-------------------------------------------

Developer Testing

Workaround
-------------------------------------------

N/A

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to utilities (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/utilities/+/904529

Changed in starlingx:
status: New → In Progress
Reinildes Oliveira (rjosemat)
Changed in starlingx:
assignee: nobody → Reinildes Oliveira (rjosemat)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to utilities (master)

Reviewed: https://review.opendev.org/c/starlingx/utilities/+/904529
Committed: https://opendev.org/starlingx/utilities/commit/c8693dcd7e2a3f163dbabf01b60882575425afc3
Submitter: "Zuul (22348)"
Branch: master

commit c8693dcd7e2a3f163dbabf01b60882575425afc3
Author: Rei Oliveira <email address hidden>
Date: Tue Jan 2 17:49:48 2024 -0300

    Fix error in the output of show-certs.sh

    Since k8s 1.26.1 was introduced in stx, command 'kubeadm certs' will
    return error code 1. Earlier versions of kubernetes returned 0.

    This commit fixes the error by adding flag -h, which will return
    correctly the error codes as expected:

    0 when 'certs' command is available as a GA command.
    1 when 'certs' is not available and 'alpha certs' should be used instead.

    Test Plan:
    PASS: In a stx system with k8s 1.26.1, run 'sudo show-certs.sh' and
          verify that the output show k8s certificates properly
    PASS: In a stx system with k8s version less than 1.26.1,
          run 'sudo show-certs.sh' and verify that the output show k8s
          certificates properly

    Closes-Bug: 2047859
    Signed-off-by: Rei Oliveira <email address hidden>
    Change-Id: Iba0581791b8c7fe6d1cbedc1c9e0c2bd8305a25f

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
tags: added: stx.9.0 stx.security stx.tools
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.