Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeadm Cert Renewal #67910

Merged
merged 5 commits into from
Aug 31, 2018
Merged

Kubeadm Cert Renewal #67910

merged 5 commits into from
Aug 31, 2018

Conversation

liztio
Copy link
Contributor

@liztio liztio commented Aug 27, 2018
edited
Loading

What this PR does / why we need it:

adds explicit support for renewal of certificates via command

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes kubernetes/kubeadm#206

Special notes for your reviewer:
The targeted documentation is at kubernetes/website#9712

Release note:

Adds the commands `kubeadm alpha phases renew <cert-name>`

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 27, 2018
@k8s-ci-robot k8s-ci-robot requested review from detiber and kad August 27, 2018 20:36
@k8s-ci-robot k8s-ci-robot added area/kubeadm sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. labels Aug 27, 2018
@timothysc timothysc added this to the v1.12 milestone Aug 27, 2018
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Aug 27, 2018
timothysc
timothysc reviewed Aug 27, 2018
View reviewed changes
Copy link
Member

@timothysc timothysc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor feedback on wip

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated

key, err := certutil.NewPrivateKey()
if err != nil {
return nil, nil, fmt.Errorf("Couldn't create new private key: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

b/c these files are net new, definitely use errors.Wrap here.

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated
if ev.Type != watch.Modified {
return nil, nil, fmt.Errorf("unexpected event receieved: %q", ev.Type)
}
case <-time.After(watchTimeout):
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have to dig-up a different example for you here, but this looks a little weird.

neolit123
neolit123 reviewed Aug 27, 2018
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liztio thanks
added some minor comments.

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated
select {
case ev := <-watcher.ResultChan():
if ev.Type != watch.Modified {
return nil, nil, fmt.Errorf("unexpected event receieved: %q", ev.Type)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

receieved -> received.

optionally %q -> %s

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like %q for this

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated

// TODO: under what circumstances are there more than one?
if status := req.Status.Conditions[0].Type; status != certsapi.CertificateApproved {
return nil, nil, fmt.Errorf("Unexpected certificate status %v", status)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unexpected -> unexpected
status %v -> status: %v

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated
client certstype.CertificatesV1beta1Interface
}

// NewCertsAPIRenawal takes a certificate pair to construct the Interface.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-> takes a client Interface and returns a renewal Interface?

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated

key, err := certutil.NewPrivateKey()
if err != nil {
return nil, nil, fmt.Errorf("Couldn't create new private key: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't -> couldn't

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated

csr, err := x509.CreateCertificateRequest(rand.Reader, reqTmp, key)
if err != nil {
return nil, nil, fmt.Errorf("Couldn't create csr: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't -> couldn't
csr -> certificate signing request?

cmd/kubeadm/app/phases/certs/renewal/certsapi.go Outdated
for i, usage := range cfg.Usages {
certsAPIUsage, ok := usageMap[usage]
if !ok {
return nil, nil, fmt.Errorf("unknown key usage %v", usage)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

-> key usage: %v

cmd/kubeadm/app/phases/certs/renewal/filerenewal.go Outdated
func (r *FileRenewal) Renew(cfg *certutil.Config) (*x509.Certificate, crypto.PrivateKey, error) {
caKey, ok := r.caKey.(*rsa.PrivateKey)
if !ok {
return nil, nil, fmt.Errorf("unsupported private key type %t", r.caKey)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this would print the whole private key which can be quite long.
i would go for something like:
unsupported private key type. Only RSA is supported

@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 28, 2018
kad
kad reviewed Aug 29, 2018
View reviewed changes
cmd/kubeadm/app/phases/certs/renewal/certsapi.go
Organization: cfg.Organization,
},
DNSNames: cfg.AltNames.DNSNames,
IPAddresses: cfg.AltNames.IPs,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One bad thing is that x509.CertificateRequest doesn't validate what kind of IPs are requested in certificates. I think on our side we should be doing some validation that certificates that we request don't have some weird IPs in it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The source of these IPs is the existing, on-disk certificates. What IPs are you worried about?

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 29, 2018
@liztio liztio changed the title [wip] Kubeadm Cert Renewal Kubeadm Cert Renewal Aug 30, 2018
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 30, 2018
@liztio
Copy link
Contributor Author

liztio commented Aug 30, 2018

/test pull-kubernetes-bazel-test

@liztio
Copy link
Contributor Author

liztio commented Aug 30, 2018

/test pull-kubernetes-e2e-kops-aws

timothysc
timothysc approved these changes Aug 31, 2018
View reviewed changes
Copy link
Member

@timothysc timothysc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

I could needle some things, but we're near freeze, and perfect is the enemy of the good.

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 31, 2018
@timothysc timothysc added kind/feature Categorizes issue or PR as related to a new feature. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 31, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: liztio, timothysc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 64283, 67910, 67803, 68100). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

@k8s-github-robot k8s-github-robot merged commit 17dde46 into kubernetes:master Aug 31, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stealthybox stealthybox stealthybox left review comments

@neolit123 neolit123 neolit123 left review comments

@kad kad kad left review comments

@timothysc timothysc timothysc approved these changes

@detiber detiber Awaiting requested review from detiber

Assignees

@timothysc timothysc

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubeadm cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.12
Development

Successfully merging this pull request may close these issues.

Support certificate rotation
7 participants
@liztio @k8s-ci-robot @k8s-github-robot @kad @timothysc @neolit123 @stealthybox