Add renew certificates subcommand #147
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @pytimer. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
This command should be run on the certificate expirated node with CA. Before run this command, you should copy CA to the node, and then run |
My questions were mostly to help guide some documentation fore this feature. Perhaps a new section in the README? Or maybe even in the command help? |
|
@chuckha I update the README.md in this pr, you can review it. Thanks. |
There was a problem hiding this comment.
Thanks for adding this. I update a suggestion to potentially clear up what certs are being renewed. I don't think we need to write down how to copy certs around as it's already listed.
Worked for me, but I'm surprised at the lack of cluster level health check/info through etcdadm.
| @@ -0,0 +1,46 @@ | |||
| package cmd | |||
There was a problem hiding this comment.
New file needs license header
There was a problem hiding this comment.
I will add license header late.
| @@ -60,6 +60,22 @@ On the machine being removed, run | |||
| etcdadm reset | |||
| ``` | |||
|
|
|||
| ### Renewal certificates | |||
There was a problem hiding this comment.
This took me a second to understand. We aren't renewing the CA, we're renewing the certs generated with the CA.
this should be a little more friendly, how about something like this:
Certificates are set to expire after <1 year?> by default.
To renew certificates, first ensure every node in the cluster has the CA root certificate. Then, on each node in, runetcdadm certs renew.
There was a problem hiding this comment.
+1 to @chuckha's suggestion.
I think it might help to explicitly mention that there are two certificates: peer and server.
There was a problem hiding this comment.
I will update the document.
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
certs/certs.go
Outdated
| // GetDefaultCertList returns all of the certificates etcdadm requires to function. | ||
| func GetDefaultCertList() []string { | ||
| return []string{ | ||
| //constants.EtcdCACertAndKeyBaseName, |
There was a problem hiding this comment.
Remove commented code?
There was a problem hiding this comment.
OK, I will remove it.
certs/certs.go
Outdated
| } | ||
| } | ||
|
|
||
| // RenewUsingLocalCA executes certificate renewal using local certificate authorities for generating new certs. |
There was a problem hiding this comment.
| // RenewUsingLocalCA executes certificate renewal using local certificate authorities for generating new certs. | |
| // RenewUsingLocalCA replaces certificates with new certificates signed by the CA. |
| func GetDefaultCertList() []string { | ||
| return []string{ | ||
| //constants.EtcdCACertAndKeyBaseName, | ||
| constants.EtcdServerCertAndKeyBaseName, |
There was a problem hiding this comment.
How does replacing a certificate affect the client that uses the certificates?
- etcd peer and server certificates: etcd will check and, if needed, reload the certificate on every connection.
- etcdctl client certificate: this is not a long-running process, and presumably etcdctl reads certificates when it starts. If it fails, the user can always rerun it.
- **kube-apiserver: I'm not sure if it will reload its etcd client certificate. Does it need to be restarted? **
There was a problem hiding this comment.
-
Etcd should restart as far as I know.
-
etcdctl every time use the new certificate s , so I think renew not effect it.
-
If the kube-apisever client crt changed, I think kube-apisever maybe need to restart. I'm not tests this case, so i'm not sure. I will tests it.
There was a problem hiding this comment.
Thank you!
If kube-apiserver does need to be restarted, let's document that. Perhaps even write a message to the user.
| } | ||
|
|
||
| // extract the certificate config | ||
| cfg := certToConfig(cert) |
There was a problem hiding this comment.
For etcdadm certs renew this means that the source of truth is the certificate on disk.. However, for etcdadm init and etcdadm join, the source of truth is etcdadm.
I think that the source of truth should be consistent across all commands.
In fact, if etcdadm certs renew uses etcdadm as the source of truth, then it can just create new certificates using the existing functions (CreateEtcdServerCertAndKeyFiles, CreateEtcdPeerCertAndKeyFiles, CreateEtcdctlClientCertAndKeyFiles, and CreateAPIServerEtcdClientCertAndKeyFiles).
WDYT?
There was a problem hiding this comment.
You mean that maybe the disk certificates not the source of truth?
I understand your said, But if we use createXXX to recreate the new certificates, is it include CA certificate?
There was a problem hiding this comment.
You mean that maybe the disk certificates not the source of truth?
That's right; I believe that the certificates on disk should not be the source of truth.
When etcdadm creates certificates the first time, it determines their properties. When it renews them, it should set those properties the same way. It should not pay attention to the properties in the certificates on disk.
I understand your said, But if we use createXXX to recreate the new certificates, is it include CA certificate?
I believe each of the functions I mentioned reads the CA from disk.
There was a problem hiding this comment.
Do not believe the certificates on disk is right, but if we recreate certificates, this command name still call renew, or change to etcdadm certs recreate ?
There was a problem hiding this comment.
Great question! I think renew is correct, based on the RFC:
This subcomponent is used to describe the following elements related to certificate renewal. Certificate renewal means the issuance of a new certificate to the subscriber without changing the subscriber or other participant's public key or any other information in the certificate:
-- https://tools.ietf.org/html/rfc3647 *
However, if I'm reading the definition correctly, etcdadm must generate a new certificate using its current key on disk. That means etcdadm needs to read the key from disk, but not the certificate.
(I continue to believe that etcdadm should set the certificate properties, rather than read them from the certificate on disk.)
* I found this via https://security.stackexchange.com/questions/150907/x-509-certificate-renew-vs-rekey
There was a problem hiding this comment.
I think this renew implementation more like rekey, but it also use certificate properties. If my understanding correct, you mean that etcdadm not use old certificate properties on the disk?
There was a problem hiding this comment.
I agree; this PR right now implements "rekey" according to the RFC.
I don't know whether we want "renew" or "rekey;" I need to learn the trade-offs and use cases.
I decided to check what kubeadm does. Looks like kubeadm does in fact read the properties of the existing certificates:
Note: alpha certs renew uses the existing certificates as the authoritative source for attributes (Common Name, Organization, SAN, etc.) instead of the kubeadm-config ConfigMap. It is strongly recommended to keep them both in sync.
-- https://v1-17.docs.kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#renew-certificates-with-the-kubernetes-certificates-api
I wonder why that is.
There was a problem hiding this comment.
I see kubeadm read certificate properties, i think maybe etcdadm/kubeadm init or join can add custom SANs, if we don't read properties, maybe we missing some SANs.
There was a problem hiding this comment.
i think maybe etcdadm/kubeadm init or join can add custom SANs, if we don't read properties, maybe we missing some SANs.
That's a great point.
|
Thanks for helping me understand your approach @pytimer . I'm ok with etcdadm reading the properties from the certs on disk. The only question left is #147 (comment). Otherwise this looks good to merge. |
Sorry, because of have some things, i have no locally Kubernetes cluster before, i will testing and reply it coming soon. |
|
@dlipovetsky I testing kube-apiserver case about #147 (comment) , kube-apiserver needs to restart and load new etcd client certificates. I update document and code, warning users to pay attention. The code is: https://github.com/kubernetes-sigs/etcdadm/pull/147/files#diff-1094222d3259d85ad53cc70f8bcc0816R54 |
cmd/certs.go
Outdated
| log.Fatalf("Certificates %s can't be renewed.\n", name) | ||
| } | ||
| } | ||
| log.Println("Your etcd certificates has renew successfully!") |
There was a problem hiding this comment.
| log.Println("Your etcd certificates has renew successfully!") | |
| log.Println("The etcd certificates have been renewed successfully!") |
cmd/certs.go
Outdated
| } | ||
| } | ||
| log.Println("Your etcd certificates has renew successfully!") | ||
| log.Warnln("After renew etcd certificates, you need to restart client(kube-apiserver) which use apiserver-etcd-client certificate.") |
There was a problem hiding this comment.
| log.Warnln("After renew etcd certificates, you need to restart client(kube-apiserver) which use apiserver-etcd-client certificate.") | |
| log.Warnln("If kube-apiserver is running, restart it so that it uses the renewed etcd client certificate.") |
@chuckha What did you want etcdadm to do? Also, what do you think of the PR as it is right now? |
I know I said earlier that kube-apisever might need to be restarted to reload its etcd client cert. But is that what you see in the logs? The reason I ask is: it looks like kube-apiserver should reload the certificates automatically. That's because kube-apiserver uses the etcd client's TLS config, which implements certificate reloading. |
I see kube-apiserver log print error, |
I'll look this week, too. It's not a blocking question, but it's important to know. Depending on what we find, we may want to open a kube-apiserver issue. |
Make PKI library richer, including in-memory keypairs
Make PKI library richer, including in-memory keypairs
Make PKI library richer, including in-memory keypairs
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
I'm sorry. I will check this feature next week. |
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Make PKI library richer, including in-memory keypairs
|
Can we reopen this? This is a needed feature. I think #179 is a great long term goal, but it will be able to utilize this work |
|
/reopen |
|
@dlipovetsky: Reopened this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pytimer The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
A comment on kube-apiserver. It will pick up the changes to the ETCD client cert, and automatically use it on new connections. |
I use k8s v1.10.0, found kube-apiserver can not automatically use the new client cert, need to restart it, so i add the warning comment when certificates renewed. |
|
Good point. The functionality was added in the etcd client version 3.2.0, though there was a bug where it did not work properly when addressed with an IP until 3.2.19. K8S version 1.11 and 1.10 should work if addressed with a domain. Version 1.12 and up will always reload. |
|
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Can we re-open this and get it reviewed? |
|
Finally, I tried it and the renew feature works good! The only problem I have is CSR mode: But there is no If you want to use this feature, clone @pytimer repo, build from |
|
Hi, Thanks |
This is continuing the work from kubernetes-retired#147. Last concern was due to issues with CSR generation. This was due to trying to write the CSR and key to the certificate directory. When calling TryLoadCSRAndKeyFromDisk it registered the key existed, and tried to load both. This caused the error stating it couldn't load the CSR. As with kubeadm, this needed a directory to output the csr specifically. I added a new argument of csr-dir (with a default of the local directory). I split the RenewUsingLocalCA function into two functions. One for the CSRs, and one for the full certificates. The new RenewCSRUsingLocalCA function uses the new csr-dir path to output the CSRs. This ensures the key, from the cert being used, is not overwritten/cause the process to fail.
The
etcdadm certs renewsupport renew certificates with local CA, it will renew the etcd certificates exclude CA.Now the
etcdadmcreate etcd certificates default expiration time is one year. The cluster not work if time is more than one year. I usekubeadmcreate Kubernetes cluster and it also have the same question, howeverkubeadmhave renew command to help us make certificates rotation, so i think it is better ifetcdadmhave this renew command.'I also found other people have this question, Ref: #56, so i send a PR to add a
renewsubcommand for implement it.I'm not sure if missing something, if i missing, please tell me.