Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: the certificate validity period changed from 99 years to 1 year after the cluster is upgraded #4880

Merged
merged 1 commit into from
Jul 11, 2024
Merged

fix: the certificate validity period changed from 99 years to 1 year after the cluster is upgraded #4880

merged 1 commit into from
Jul 11, 2024

Conversation

ghostloda
Copy link
Collaborator

@ghostloda ghostloda commented Jul 10, 2024
edited
Loading

Fix #4113

Test k8s-v1.26.8 upgrad to k8s-v1.27.11

Before upgrading

kubectl get nodes
NAME                   STATUS   ROLES           AGE    VERSION
test-1.novalocal   Ready    control-plane   2m5s   v1.26.8
test2.novalocal    Ready    control-plane   62s    v1.26.8
[root@lcx-test-1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
W0710 18:10:37.225578   20471 utils.go:69] The recommended value for "healthzBindAddress" in "KubeletConfiguration" is: 127.0.0.1; the provided value is: 0.0.0.0

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 16, 2124 10:07 UTC   99y             ca                      no      
apiserver                  Jun 16, 2124 10:07 UTC   99y             ca                      no      
apiserver-etcd-client      Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Jun 16, 2124 10:07 UTC   99y             ca                      no      
controller-manager.conf    Jun 16, 2124 10:07 UTC   99y             ca                      no      
etcd-healthcheck-client    Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
etcd-peer                  Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
etcd-server                Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
front-proxy-client         Jun 16, 2124 10:07 UTC   99y             front-proxy-ca          no      
scheduler.conf             Jun 16, 2124 10:07 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 16, 2124 10:07 UTC   99y             no      
etcd-ca                 Jun 16, 2124 10:07 UTC   99y             no      
front-proxy-ca          Jun 16, 2124 10:07 UTC   99y

After upgrade

# kubectl get nodes
NAME                   STATUS   ROLES           AGE     VERSION
test-1.novalocal   Ready    control-plane   10m     v1.27.11
test2.novalocal    Ready    control-plane   9m49s   v1.27.11
[root@lcx-test-1 ~]# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jun 16, 2124 10:07 UTC   99y             ca                      no      
apiserver                  Jun 16, 2124 10:07 UTC   99y             ca                      no      
apiserver-etcd-client      Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
apiserver-kubelet-client   Jun 16, 2124 10:07 UTC   99y             ca                      no      
controller-manager.conf    Jun 16, 2124 10:07 UTC   99y             ca                      no      
etcd-healthcheck-client    Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
etcd-peer                  Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
etcd-server                Jun 16, 2124 10:07 UTC   99y             etcd-ca                 no      
front-proxy-client         Jun 16, 2124 10:07 UTC   99y             front-proxy-ca          no      
scheduler.conf             Jun 16, 2124 10:07 UTC   99y             ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Jun 16, 2124 10:07 UTC   99y             no      
etcd-ca                 Jun 16, 2124 10:07 UTC   99y             no      
front-proxy-ca          Jun 16, 2124 10:07 UTC   99y             no

@sealos-ci-robot
Copy link
Member

🤖 Generated by lychee action

Summary

Status Count
🔍 Total 1286
✅ Successful 385
⏳ Timeouts 0
🔀 Redirected 0
👻 Excluded 900
❓ Unknown 0
🚫 Errors 0

Full action output

Full Github Actions output

@lingdie lingdie merged commit 134a975 into labring:main Jul 11, 2024
90 of 91 checks passed
@ghostloda ghostloda deleted the certs-expiration branch July 11, 2024 05:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bxy4543 bxy4543 bxy4543 approved these changes

Assignees
No one assigned
Labels
area/lifecycle-management area/runtime size/XS
Projects
None yet
Milestone
No milestone
4 participants
@ghostloda @sealos-ci-robot @bxy4543 @lingdie