Commit Graph

22 Commits

Author SHA1 Message Date
Samuel Davidson
41735bf478 Changed Kubelet client and serving cert TTL/Expiry certs to use gaugefunc for calculating time remaining.
Kubernetes-commit: aba0b315269dab469694af7fca879438a7f87e41
2019-12-03 16:01:56 -08:00
Ryan Phillips
52589237eb kubelet: add certificate rotation error metric
Kubernetes-commit: 8e50c55e6bf715d9067376a9e7f136ffacb0a3ee
2019-11-05 16:51:40 -06:00
Samuel Davidson
7bd7ed8621 Added rotation metric to certificate manager
Kubernetes-commit: 7adb18120079016ed8aea1bd40e5cde161827a1d
2019-10-28 14:09:40 -07:00
Sukeesh
94daee0164 Cleanup: Audit log and error capitalization
Kubernetes-commit: 346fdbccf0ac06ab3fa0e51ab3b92fdc041bb4cc
2019-06-30 11:56:27 +09:00
Jordan Liggitt
987d27d1af Interrupt WaitForCertificate if desired kubelet serving cert changes
Kubernetes-commit: 739a75fc32c5337ddbd13691e9bf6648fb13ff0d
2019-05-15 11:47:23 -04:00
Andrew Lytvynov
ba851ad197 Extract new keyutil package from client-go/util/cert
This package contains public/private key utilities copied directly from
client-go/util/cert. All imports were updated.

Future PRs will actually refactor the libraries.

Updates #71004

Kubernetes-commit: 18458392ca24c85c688e655aace1afd04f864cbd
2018-12-09 16:24:38 -08:00
Tomas Nozicka
0dbe75c417 Switch WaitForCertificate to informers to avoid broken watches
Kubernetes-commit: a7588723f7e9b88c2e8b9d601a2391e0f6b19a17
2019-01-17 18:32:36 +01:00
Clayton Coleman
96e95840d4 Restore "Make bootstrap client cert loading part of rotation""
This reverts the revert of commit 34642222676640b3c1dd255cc453000f2743ccde.

Kubernetes-commit: 486577df17570b321a91b223901d7e4fdbb63519
2018-11-17 13:44:58 -05:00
Clayton Coleman
57b75fe80b Revert "Make bootstrap client cert loading part of rotation"
This reverts commit 0af19875add7deb562b2cf7bf6b1d273c44bab1b.

Revert "Ensure the bootstrap rotation code is tested by forcing rotation"

This reverts commit de293b2d7ddb687850258370f2a7f30f224f0ec1.

Kubernetes-commit: 34642222676640b3c1dd255cc453000f2743ccde
2018-11-17 10:24:23 -05:00
Clayton Coleman
cbb80ab872 Ensure the bootstrap rotation code is tested by forcing rotation
Expose both a Stop() method (for cleanup) and a method to force
cert rotation, but only expose Stop() on the interface.

Verify that we choose the correct client.

Kubernetes-commit: de293b2d7ddb687850258370f2a7f30f224f0ec1
2018-11-15 17:21:02 -05:00
Clayton Coleman
39159c379b Make bootstrap client cert loading part of rotation
Ensure that bootstrap+clientcert-rotation in the Kubelet can:

1. happen in the background so that static pods aren't blocked by bootstrap
2. collapse down to a single call path for requesting a CSR
3. reorganize the code to allow future flexibility in retrieving bootstrap creds

Fetching the first certificate and later certificates when the kubelet
is using client rotation and bootstrapping should share the same code
path. We also want to start the Kubelet static pod loop before
bootstrapping completes. Finally, we want to take an incremental step
towards improving how the bootstrap credentials are loaded from disk
(potentially allowing for a CLI call to get credentials, or a remote
plugin that better integrates with cloud providers or KSMs).

Reorganize how the kubelet client config is determined. If rotation is
off, simplify the code path. If rotation is on, load the config
from disk, and then pass that into the cert manager. The cert manager
creates a client each time it tries to request a new cert.

Preserve existing behavior where:

1. bootstrap kubeconfig is used if the current kubeconfig is invalid/expired
2. we create the kubeconfig file based on the bootstrap kubeconfig, pointing to
   the location that new client certs will be placed
3. the newest client cert is used once it has been loaded

Kubernetes-commit: 0af19875add7deb562b2cf7bf6b1d273c44bab1b
2018-10-16 12:52:47 -04:00
Davanum Srinivas
74cd8bbeee Move from glog to klog
- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
  * github.com/kubernetes/repo-infra
  * k8s.io/gengo/
  * k8s.io/kube-openapi/
  * github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods

Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135

Kubernetes-commit: 954996e231074dc7429f7be1256a579bedd8344c
2018-11-09 13:49:10 -05:00
Andrew Gunnerson
b9b3f6d2e7 certificate_manager: Check that template differs from current cert before rotation
With the current behavior, when kubelet starts, a `templateChanged`
event is always fired off because it only checks if `getLastRequest`
matches `getTemplate`. The last request only exists in memory and thus
is initially `nil` and can't ever match the current template during
startup.

This causes kubelet to request the signing of a new CSR every time it's
restarted. This commit changes the behavior so that `templateChanged` is
only fired off if the currently template doesn't match both the current
certificate and the last template.

Fixes #69471

Signed-off-by: Andrew Gunnerson <andrew.gunnerson@us.ibm.com>

Kubernetes-commit: b9ab65d689cc48353ca5dae9f210ff408726a0d2
2018-10-08 12:08:32 -04:00
Jordan Liggitt
9936c2e1aa Derive kubelet serving certificate CSR template from node status addresses
Kubernetes-commit: db9d3c2d1057f97a4763987baee00b82718feaa0
2018-06-28 14:44:25 -04:00
Clayton Coleman
b30485cc03 When using the bootstrap cert, update the store
Otherwise, the certificate store will return nil the first time a store
cert is accessed. When background rotation is being used, prevents the
client from being nil.

Kubernetes-commit: b81f4745546340f08abd3f877c585aac9581d0f0
2018-02-04 01:24:56 -05:00
halfcrazy
b6a34c5a00 fix typo in client-go
Kubernetes-commit: 86801dee64215e76080fe8df83ffd1fb7df9e093
2018-02-01 02:33:45 +08:00
Clayton Coleman
3f65b38279 Only rotate certificates in the background
The certificate manager originally had a "block on startup" rotation
behavior to ensure at least one rotation happened on startup. However,
since rotation may not succeed within the first time window the code was
changed to simply print the error rather than return it. This meant that
the blocking rotation has no purpose - it cannot cause the kubelet to
fail, and it *does* block the kubelet from starting static pods before
the api server becomes available.

The current block behavior causes a bootstrapped kubelet that is also
set to run static pods to wait several minutes before actually launching
the static pods, which means self-hosted masters using static pods have
a pointless delay on startup.

Since blocking rotation has no benefit and can't actually fail startup,
this commit removes the blocking behavior and simplifies the code at the
same time. The goroutine for rotation now completely owns the deadline,
the shouldRotate() method is removed, and the method that sets
rotationDeadline now returns it. We also explicitly guard against a
negative sleep interval and omit the message.

Should have no impact on bootstrapping except the removal of a long
delay on startup before static pods start.

Also add a guard condition where if the current cert in the store is
expired, we fall back to the bootstrap cert initially (we use the
bootstrap cert to communicate with the server). This is consistent with
when we don't have a cert yet.

Kubernetes-commit: 44493de195d89ec43cc7246af921e626e0002c16
2018-01-28 14:28:28 -05:00
Eric Chiang
134dba2dab certificate manager: reduce max backoff from 128s to 32s
Kubernetes-commit: cba8939504e303a3e8ab7f8b69be29ef78fa48cc
2017-11-08 16:24:01 -08:00
Clayton Coleman
1372839f29 Move pkg/kubelet/util/csr into client-go
Everything else it depends on was already there, and now we have a
somewhat consistent code chain.

Kubernetes-commit: 5649f9a578f4f130f61579d77d5609fbdaf82a1f
2017-10-10 20:15:03 -04:00
Clayton Coleman
f7a735a8c2 Have the certificate manager decide if the server is healthy
Prevent a Kubelet from shutting down when the server isn't responding to
us but we cannot get a new certificate. This allows a cluster to coast
if the master is unresponsive or a node is partitioned and their client
cert expires.

Kubernetes-commit: b3a11aa635022761637090f4fc8d5cb57f3f0010
2017-10-05 18:57:53 -04:00
Clayton Coleman
bb96050dfb Collapse duplicate code into pkg/util/csr
There is no reason to duplicate this code into two places.

Kubernetes-commit: c3bea24ab6242b084e7d09073c8906c778611243
2017-10-01 16:10:51 -04:00
Jacob Simpson
1bb4ecc0ae Move certificate manager to client.
Kubernetes-commit: 415c4d2c3af1fadb839bf4b73c6ea16db6b8c59f
2017-03-09 16:34:55 -08:00