show-certs.sh is not able to print kubernetes certificates since the k8s upversion to 1.26.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Reinildes Oliveira |
Bug Description
Brief Description
-------
show-certs.sh is not able to print kubernetes certificates since k8s 1.26.1
Severity
-------
Provide the severity of the defect.
<Major: System/Feature is usable but degraded>
Steps to Reproduce
-------
1. In a recent load with k8s 1.26.1
2. run 'sudo show-certs.sh'
Expected Behavior
-------
{code:java}
sysadmin@
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.
Kustomize Version: v4.5.7
Server Version: version.
sysadmin@
Password:
docker_registry (deployment/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/ssl/
Subject : CN = new-registry-
Issuer : CN = starlingx
Issue Date : Nov 21 11:28:29 2034 GMT
Expiry Date : Dec 21 11:28:29 2034 GMT
Residual Time : 15d
local-openldap (deployment/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/ldap/
Subject : CN = system-openldap
Issuer : CN = starlingx
Issue Date : Nov 21 11:11:38 2034 GMT
Expiry Date : Feb 19 11:11:38 2035 GMT
Residual Time : 75d
/opt/platform/
------
Renewal : Manual
Filename : /opt/platform/
Subject : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Issuer : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Issue Date : Jun 21 17:46:14 2021 GMT
Expiry Date : Sep 7 17:46:14 2032 GMT
Residual Time : -818d
DC-AdminEp-RootCA (dc-cert/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/pki/
Subject : OU = StarlingX DC Root CA, CN = 192.168.0.2
Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
Issue Date : Nov 21 11:11:32 2034 GMT
Expiry Date : Nov 20 11:11:32 2039 GMT
Residual Time : 1810d
DC-AdminEp-Server (dc-cert/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/ssl/
Subject : CN = 192.168.0.2
Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
Issue Date : Nov 21 11:11:38 2034 GMT
Expiry Date : May 20 11:11:38 2035 GMT
Residual Time : 165d
Kubernetes CERTIFICATES:
------
Note: 'CERTIFICATES' are Renewal: Automatic
Note: 'CERTIFICATE AUTHORITIES' are Renewal: Manual
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 23, 2035 20:29 UTC 353d ca no
apiserver Nov 23, 2035 20:29 UTC 353d ca no
apiserver-
controller-
front-proxy-client Nov 23, 2035 20:29 UTC 353d front-proxy-ca no
scheduler.conf Nov 23, 2035 20:29 UTC 353d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 20, 2044 20:29 UTC 9y no
front-proxy-ca Nov 20, 2044 20:29 UTC 9y no
etcd CA certificate CERTIFICATE:
------
Renewal : Manual
Filename : /etc/etcd/ca.crt
Subject : CN = etcd
Issuer : CN = etcd
Issue Date : Nov 23 20:29:14 2034 GMT
Expiry Date : Nov 20 20:29:14 2044 GMT
Residual Time : 3638d
etcd client certificate CERTIFICATE:
------
Renewal : Automatic
Filename : /etc/etcd/
Subject : CN = root
Issuer : CN = etcd
Issue Date : Dec 5 00:10:05 2034 GMT
Expiry Date : Dec 5 00:10:05 2035 GMT
Residual Time : 364d
etcd server certificate CERTIFICATE:
------
Renewal : Automatic
Filename : /etc/etcd/
Subject : CN = etcd-server
Issuer : CN = etcd
Issue Date : Dec 5 00:10:04 2034 GMT
Expiry Date : Dec 5 00:10:04 2035 GMT
Residual Time : 364d
etcd apiserver client certificate CERTIFICATE:
------
Renewal : Automatic
Filename : /etc/kubernetes
Subject : CN = apiserver-
Issuer : CN = etcd
Issue Date : Dec 5 00:10:03 2034 GMT
Expiry Date : Dec 5 00:10:03 2035 GMT
Residual Time : 364d
kubelet client CERTIFICATE:
------
Renewal : Automatically by k8s
Filename : /var/lib/
Subject : O = system:nodes, CN = system:
Issuer : CN = starlingx
Issue Date : Nov 21 11:05:50 2034 GMT
Expiry Date : Nov 21 11:05:50 2035 GMT
Residual Time : 350d
{code}
Actual Behavior
-------
{code:java}
sysadmin@
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.
Kustomize Version: v4.5.7
Server Version: version.
sysadmin@
Password:
docker_registry (deployment/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/ssl/
Subject : CN = new-registry-
Issuer : CN = starlingx
Issue Date : Nov 21 11:28:29 2034 GMT
Expiry Date : Dec 21 11:28:29 2034 GMT
Residual Time : 15d
local-openldap (deployment/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/ldap/
Subject : CN = system-openldap
Issuer : CN = starlingx
Issue Date : Nov 21 11:11:38 2034 GMT
Expiry Date : Feb 19 11:11:38 2035 GMT
Residual Time : 75d
/opt/platform/
------
Renewal : Manual
Filename : /opt/platform/
Subject : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Issuer : C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Issue Date : Jun 21 17:46:14 2021 GMT
Expiry Date : Sep 7 17:46:14 2032 GMT
Residual Time : -818d
DC-AdminEp-RootCA (dc-cert/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/pki/
Subject : OU = StarlingX DC Root CA, CN = 192.168.0.2
Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
Issue Date : Nov 21 11:11:32 2034 GMT
Expiry Date : Nov 20 11:11:32 2039 GMT
Residual Time : 1810d
DC-AdminEp-Server (dc-cert/
------
Renewal : Automatic [Managed by Cert-Manager]
Filename : /etc/ssl/
Subject : CN = 192.168.0.2
Issuer : OU = StarlingX DC Root CA, CN = 192.168.0.2
Issue Date : Nov 21 11:11:38 2034 GMT
Expiry Date : May 20 11:11:38 2035 GMT
Residual Time : 165d
Kubernetes CERTIFICATES:
------
Note: 'CERTIFICATES' are Renewal: Automatic
Note: 'CERTIFICATE AUTHORITIES' are Renewal: Manual
Kubeadm experimental sub-commands
etcd CA certificate CERTIFICATE:
------
Renewal : Manual
Filename : /etc/etcd/ca.crt
Subject : CN = etcd
Issuer : CN = etcd
Issue Date : Nov 23 20:29:14 2034 GMT
Expiry Date : Nov 20 20:29:14 2044 GMT
Residual Time : 3638d
etcd client certificate CERTIFICATE:
------
Renewal : Automatic
Filename : /etc/etcd/
Subject : CN = root
Issuer : CN = etcd
Issue Date : Dec 5 00:10:05 2034 GMT
Expiry Date : Dec 5 00:10:05 2035 GMT
Residual Time : 364d
etcd server certificate CERTIFICATE:
------
Renewal : Automatic
Filename : /etc/etcd/
Subject : CN = etcd-server
Issuer : CN = etcd
Issue Date : Dec 5 00:10:04 2034 GMT
Expiry Date : Dec 5 00:10:04 2035 GMT
Residual Time : 364d
etcd apiserver client certificate CERTIFICATE:
------
Renewal : Automatic
Filename : /etc/kubernetes
Subject : CN = apiserver-
Issuer : CN = etcd
Issue Date : Dec 5 00:10:03 2034 GMT
Expiry Date : Dec 5 00:10:03 2035 GMT
Residual Time : 364d
kubelet client CERTIFICATE:
------
Renewal : Automatically by k8s
Filename : /var/lib/
Subject : O = system:nodes, CN = system:
Issuer : CN = starlingx
Issue Date : Nov 21 11:05:50 2034 GMT
Expiry Date : Nov 21 11:05:50 2035 GMT
Residual Time : 350d
{code}
Reproducibility
-------
100%
System Configuration
-------
Any system type:
{code:java}
sysadmin@
SW_VERSION="23.09"
BUILD_TARGET="Host Installer"
BUILD_TYPE="Formal"
BUILD_ID=
SRC_BUILD_ID="1592"
JOB="wrcp-
BUILD_BY="jenkins"
BUILD_NUMBER="585"
BUILD_HOST=
BUILD_DATE=
{code}
Last Pass
-------
N/A
Timestamp/Logs
-------
N/A
Alarms
-------
N/A
Test Activity
-------
Developer Testing
Workaround
-------
N/A
Changed in starlingx: | |
assignee: | nobody → Reinildes Oliveira (rjosemat) |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: | added: stx.9.0 stx.security stx.tools |
Fix proposed to branch: master /review. opendev. org/c/starlingx /utilities/ +/904529
Review: https:/