kubeadm: kubeadm alpha certs renew fails to update CA in conf files

What keywords did you search in kubeadm issues before filing this one?

‘kubeadm alpha certs’, ‘certs renew’, ‘kubeadm alpha’

Is this a BUG REPORT or FEATURE REQUEST? BUG REPORT

Versions

1.16.4

kubeadm version (use kubeadm version): 1.16.4

Environment:

  • Kubernetes version (use kubectl version): 1.16.4
  • Cloud provider or hardware configuration: On premise
  • OS (e.g. from /etc/os-release): CentOS 7
  • Kernel (e.g. uname -a): 3.10.0-1062.4.3.el7.x86_64
  • Others:

What happened?

  • I have created new CA’s each for kubernetes and front-proxy tried to renew CA along with all underlying certificates.
  • Ran kubeadm alpha certs renew <item> one by one for all certificates and conf files with the new CA in a separate --cert-dir.
  • Certificates got signed by the new CA properly.
  • CONF files got updated with correct client-certificate-data and client-key-data but incorrect or old certificate-authority-data.

What you expected to happen?

CONF files must be updated with new CA (base64)content instead of the old CA.

How to reproduce it (as minimally and precisely as possible)?

  • Create new CA cert and key
  • copy existing pki dir to a temp dir
  • replace old CA in the temp dir with the NEW CA cert and key
  • Run kubeadm alpha certs renew <item> one by one for all certificates and conf files with the new CA along with --cert-dir=< temp dir >.
  • backup existing certs
  • replace all certs from temp dir to /etc/kubernetes/pki
  • wait for API server to update or restart the control plane containers.
  • alternatively, you can also decrypt the content of certificate-authority-data from admin.conf file and run openssl to match dates to validate the certs awk '/certificate-authority-data:/ {print $2}' admin.conf| base64 -d|openssl x509 -noout -dates and openssl x509 -in /etc/kubernetes/pki/ca.crt -noout -dates

Anything else we need to know

not related to #1518, #1361 has some ref but not solution

the problem is updating certs would work as long as one is not updating the CA itself not the other way round.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 19 (9 by maintainers)

Most upvoted comments

@neolit123 Yes, I patched it.

+1
abhiTamrakar on Feb 18, 2020

the documentation should reside in the k8s.io website. the repository that holds it is https://github.com/kubernetes/website.

e.g. on this page: https://kubernetes.io/docs/tasks/tls/certificate-rotation/

you can create a tracking issue there, tag it with /sig auth and link to this issue. to get feedback from SIG Auth you can try discussing this in their meeting or slack channel: https://github.com/kubernetes/community/tree/master/sig-auth

the documentation in question should be deployer (e.g. kubeadm) agnostic.

+1
neolit123 on Feb 16, 2020
Read more comments on GitHub
← kubeadm: kubeadm 1.9.2 doesn't work over proxy
kubeadm: "kubeadm-config" does not exist when calling "upgrade plan" with v1.27.8 →