-
Notifications
You must be signed in to change notification settings - Fork 295
Generated etcd.pem not following expiration configured in cluster.yaml #892
Comments
@iherbmatt Good catch! Probably it is a bug. The value seems to have been hard-coded to 365 days for a year. According to the commit history, I believe there's no specific reason to hard-code, especially to 365 days. I'm more than ok to "fix" the expiration to be read from Would you be ok with that? |
I think that would be a good idea - it would definitely make the
configuration more consistent.
Thank you!
*Matt Poland | Software Developer*
*iHerb Inc - Natural Products & More*
*www.iherb.com <http://www.iherb.com> | [email protected] <[email protected]>*
…On Wed, Aug 30, 2017 at 12:36 AM, KUOKA Yusuke ***@***.***> wrote:
@iherbmatt <https://github.com/iherbmatt> Good catch!
Probably it is a bug. The value seems to have been hard-coded to 365 days
for a year.
https://github.com/kubernetes-incubator/kube-aws/blame/
a2daf1a/core/controlplane/
config/encrypted_assets.go#L189-L191
According to the commit history, I believe there's no specific reason to
hard-code, especially to 365 days. I'm more than ok to "fix" the expiration
to be read from tlsCertDurationDays provided via cluster.yaml, similarly
to other certs.
Would you be ok with that?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#892 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AWH4rsNE37Uk0-FCvX720qAFiawBoLGvks5sdRENgaJpZM4PG5ep>
.
--
*The information contained in this message is the sole and exclusive
property of **iHerb Inc.** and may be privileged and confidential. It may
not be disseminated or distributed to persons or entities other than the
ones intended without the written authority of **iHerb Inc.* *If you have
received this e-mail in error or are not the intended recipient, you may
not use, copy, disseminate or distribute it. Do not open any attachments.
Please delete it immediately from your system and notify the sender
promptly by e-mail that you have done so.*
|
@iherbmatt Thanks for the confirmation 👍 |
…-aws * 'master' of https://github.com/kubernetes-incubator/kube-aws: (55 commits) Bump default k8s to 1.7.5 Fix the scheduling and permissions issue of CA by fixing the conditional in stack-template.json for worker and controller stacks, while making configuration easier. Fix tests Read worker-ca-key.pem instead of ca-key.pem when certs are managed by kube-aws and TLS bootstrapping is enabled. Formerly, ca-key.pem was read to be install on controller nodes to support TLS boostrapping. However, we have the CA dedicated for TLS boootstrapping today, instead of the one used more widely. Fix the bug that symlinks under `credentials` were not accessible from anywhere other than the parent of the `credentials` dir Fix the bug that the contents of ca-key.pem was that of ca.pem Add more informational log messages to the render-credentials command Fix a degradation in message ordering As explained in kubernetes-retired#877 (comment) Fix the existing CA support It seems to have broken at some point. Fix the json parsing error when clusterAutoscalerSupport is enabled on node pools Fix too permissive IAM policy for CA associated to controller nodes Fix kubernetes-retired#903 Add spot fleet support for the `awsNodeLabels` feature Resolves kubernetes-retired#803 Drop the ability to disable RBAC via cluster.yaml Enable RBAC by default Resolves kubernetes-retired#655 Fix the hard-coded duration until an etcd cert generated by kube-aws expires Fix kubernetes-retired#892 Fix test timeouts in CI Resolves kubernetes-retired#893 Fix ca-key.pem handling and tests Create symlinks in test helpers Dedicated worker CA and Etcd trusted CA bundle Fix encrypted files regen tests ...
Bugger I wish I had seen your issue earlier @iherbmatt! I just had a cluster created with an older that 0.9.8 version of |
How did you fix it? kube-aws update?
*Matt Poland | Software Developer*
*iHerb Inc - Natural Products & More*
*www.iherb.com <http://www.iherb.com> | [email protected] <[email protected]>*
…On Sun, Jan 7, 2018 at 10:24 PM, Aaron Roydhouse ***@***.***> wrote:
Bugger I wish I had seen your issue earlier @iherbmatt
<https://github.com/iherbmatt>! I just had a cluster created with an
older that 0.9.8 version of kube-aws go haywire a couple hours ago due
the etcd cert expiring after one year instead of three like I had
specified in cluster.yaml. I had to quickly roll and install a manual
replacement certificate! Thanks for fixing this @mumoshu
<https://github.com/mumoshu>. I checked my 0.9.9 clusters and don't see
the problem there.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#892 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AWH4rqwjDBhhQvyOb5-Ge1YLo5rDHHAnks5tIbS1gaJpZM4PG5ep>
.
--
*The information contained in this message is the sole and exclusive
property of **iHerb Inc.** and may be privileged and confidential. It may
not be disseminated or distributed to persons or entities other than the
ones intended without the written authority of **iHerb Inc.* *If you have
received this e-mail in error or are not the intended recipient, you may
not use, copy, disseminate or distribute it. Do not open any attachments.
Please delete it immediately from your system and notify the sender
promptly by e-mail that you have done so.*
|
@iherbmatt I issued a new certificate, manually installed it in '/etc/etd2/ssl', and restarted etcd with systemctl. That is not perfect because I imagine a |
I've not used kube-aws update for handling certificates, but I think you
can use it to auto-generate new certificates and then redeploy the new set
for another "year" if needed - if you wanted to continue using the old
version of kube-aws.
*Matt Poland | Software Developer*
*iHerb Inc - Natural Products & More*
*www.iherb.com <http://www.iherb.com> | [email protected] <[email protected]>*
…On Mon, Jan 8, 2018 at 9:59 AM, Aaron Roydhouse ***@***.***> wrote:
@iherbmatt <https://github.com/iherbmatt> I issued a new certificate,
manually installed it in '/etc/etd2/ssl', and restarted etcd with systemctl.
That is not perfect because I imagine a kube-aws update that rolled etcd
nodes will install the old certificate again. But I think in this old
kube-aws version etcd node are masked from and kube-aws update changes.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#892 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AWH4rr5bo4vf5kBO03lJJea3B9MUfiZ0ks5tIldxgaJpZM4PG5ep>
.
--
*The information contained in this message is the sole and exclusive
property of **iHerb Inc.** and may be privileged and confidential. It may
not be disseminated or distributed to persons or entities other than the
ones intended without the written authority of **iHerb Inc.* *If you have
received this e-mail in error or are not the intended recipient, you may
not use, copy, disseminate or distribute it. Do not open any attachments.
Please delete it immediately from your system and notify the sender
promptly by e-mail that you have done so.*
|
@iherbmatt yeah that occurred to me, but only for one year. I'd have to try using a new
|
Hello,
I recently downloaded kube-aws 0.9.8 and generated a fresh set of credentials using the following command:
kube-aws render credentials
Beforehand, I set both Cert and CA certificate expiration to 3650 days (10 years). What I notice was that all certificates but the etcd.pem cert were generated to expire in 2027. The etcd.pem certificate was set to expire in 365 days.
In order to determine the expiration I'm using the following:
openssl x509 -enddate -noout -in etcd.pem
Here's the output:
notAfter=Aug 30 05:40:25 2018 GMT
It seems this is a bug? It's the only certificate that expires this soon. What would be the result of this certificate expiring?
Thank you,
Matt
The text was updated successfully, but these errors were encountered: