Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeconfig client certs not automatically renewed #520

Open
ttreptow opened this issue Dec 13, 2024 · 0 comments · May be fixed by #521
Open

Kubeconfig client certs not automatically renewed #520

ttreptow opened this issue Dec 13, 2024 · 0 comments · May be fixed by #521
Labels
kind/bug Something isn't working triage/accepted Indicates an issue or PR is ready to be actively worked on.
Milestone
v0.11.0

Comments

@ttreptow
Copy link

ttreptow commented Dec 13, 2024
edited
Loading

What happened:
The client cert in the generated kubeconfig secret expires after one year. However, the rke2 provider does not regenerate the kubeconfig with a new cert, breaking any tools that depend on reading the clustername-kubeconfig secret to get cluster credentials.

What did you expect to happen:

The kubeconfig secret is renewed a reasonable time before expiration. The cluster-api kubeadm control plane does this here

How to reproduce it:

Create a cluster. Wait one year. Check kubeconfig cert expiration

Anything else you would like to add:

Weirdly the code has a comment "only do rotation on owned secrets", checks that it owns the kubeconfig secret, and then just doesn't rotate it.

Environment:

  • rke provider version: 0.8.0
  • OS (e.g. from /etc/os-release): ubuntu 22.04 LTS
@ttreptow ttreptow added kind/bug Something isn't working needs-priority Indicates an issue or PR needs a priority assigning to it needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Dec 13, 2024
@ttreptow ttreptow linked a pull request Dec 13, 2024 that will close this issue
Open
4 tasks
@alexander-demicev alexander-demicev added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates an issue or PR needs a priority assigning to it needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 3, 2025
@alexander-demicev alexander-demicev modified the milestones: v0.12.0, v0.11.0 Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v0.11.0
Development

Successfully merging a pull request may close this issue.

Rotate kubeconfig before it expires ttreptow/cluster-api-provider-rke2
2 participants
@ttreptow @alexander-demicev