Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig #106929

Merged
merged 1 commit into from Dec 10, 2021
Merged

Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig #106929

merged 1 commit into from Dec 10, 2021

Conversation

neolit123
Copy link
Member

@neolit123 neolit123 commented Dec 9, 2021
edited

Cherry pick of #106854 on release-1.21.

#106854: kubeadm: avoid requiring a CA key during kubeconfig

For details on the cherry pick process, see the cherry pick requests page.

kubeadm: allow the "certs check-expiration" command to not require the existence of the cluster CA key (ca.key file) when checking the expiration of managed certificates in kubeconfig files.

@neolit123
kubeadm: avoid requiring a CA key during kubeconfig expiration checks
bd026f7 
When the "kubeadm certs check-expiration" command is used and
if the ca.key is not present, regular on disk certificate reads
pass fine, but fail for kubeconfig files. The reason for the
failure is that reading of kubeconfig files currently
requires reading both the CA key and cert from disk. Reading the CA
is done to ensure that the CA cert in the kubeconfig is not out of date
during renewal.

Instead of requiring both a CA key and cert to be read, only read
the CA cert from disk, as only the cert is needed for kubeconfig files.

This fixes printing the cert expiration table even if the ca.key
is missing on a host (i.e. the CA is considered external).
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Dec 9, 2021
@k8s-ci-robot k8s-ci-robot added do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Dec 9, 2021
@k8s-ci-robot k8s-ci-robot added sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Dec 9, 2021
@neolit123
Copy link
Member Author

/kind bug
/priority important-longterm
/triage accepted
/assign @SataQiu @pacoxu

this is a blocking bug for external CA users that use the "check-expiration" command.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 9, 2021
@neolit123 neolit123 changed the title Automated cherry pick of #106927: kubeadm: avoid requiring a CA key during kubeconfig Automated cherry pick of #106854: kubeadm: avoid requiring a CA key during kubeconfig Dec 9, 2021
@k8s-ci-robot k8s-ci-robot added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Dec 9, 2021
@neolit123 neolit123 mentioned this pull request Dec 9, 2021
Closed
@pacoxu
Copy link
Member

pacoxu commented Dec 10, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 10, 2021
@SataQiu
Copy link
Member

SataQiu commented Dec 10, 2021

ping @kubernetes/release-managers

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123, SataQiu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@puerco
Copy link
Member

puerco commented Dec 10, 2021

Thanks @neolit123 !
/lgtm

@puerco puerco added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Dec 10, 2021
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Dec 10, 2021
@puerco
Copy link
Member

puerco commented Dec 10, 2021

/test pull-kubernetes-conformance-kind-ga-only-parallel

@k8s-ci-robot k8s-ci-robot merged commit 43a1d59 into kubernetes:release-1.21 Dec 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SataQiu SataQiu SataQiu approved these changes

@pacoxu pacoxu Awaiting requested review from pacoxu

@yagonobre yagonobre Awaiting requested review from yagonobre

Assignees

@pacoxu pacoxu

@puerco puerco

@SataQiu SataQiu

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@neolit123 @pacoxu @SataQiu @k8s-ci-robot @puerco