From 8943e443e81c201cb73f9152d03f0747412685f6 Mon Sep 17 00:00:00 2001 From: "Lubomir I. Ivanov" Date: Thu, 5 Mar 2020 03:36:28 +0200 Subject: [PATCH] kubeadm: deprecate the flag --use-api for cert renewal The KCM is moving to means of only singing apiserver (kubelet) client and kubelet serving certificates. See: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190607-certificates-api.md#signers Up until now the experimental kubeadm functionality '--use-api' under "kubeadm alpha certs renew" was using the KCM to sign *any* certficate as long as the KCM has the root CA cert/key. Post discussions with the kubeadm maintainers, it was decided that this functionality should be removed from kubeadm due to the requirement to have external signers for renewing the common control-plane certificates that kubeadm manages. --- cmd/kubeadm/app/cmd/alpha/certs.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/cmd/kubeadm/app/cmd/alpha/certs.go b/cmd/kubeadm/app/cmd/alpha/certs.go index ac9cdd4b791..c78b613ebfb 100644 --- a/cmd/kubeadm/app/cmd/alpha/certs.go +++ b/cmd/kubeadm/app/cmd/alpha/certs.go @@ -43,7 +43,7 @@ var ( genericCertRenewLongDesc = cmdutil.LongDesc(` Renew the %s. - Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will + Renewals run unconditionally, regardless of certificate expiration date; extra attributes such as SANs will be based on the existing file/certificates, there is no need to resupply them. Renewal by default tries to use the certificate authority in the local PKI managed by kubeadm; as alternative @@ -208,7 +208,12 @@ func addRenewFlags(cmd *cobra.Command, flags *renewFlags) { options.AddKubeConfigFlag(cmd.Flags(), &flags.kubeconfigPath) options.AddCSRFlag(cmd.Flags(), &flags.csrOnly) options.AddCSRDirFlag(cmd.Flags(), &flags.csrPath) + // TODO: remove the flag and related logic once legacy signers are removed, + // potentially with the release of certificates.k8s.io/v1: + // https://github.com/kubernetes/kubeadm/issues/2047 cmd.Flags().BoolVar(&flags.useAPI, "use-api", flags.useAPI, "Use the Kubernetes certificate API to renew certificates") + cmd.Flags().MarkDeprecated("use-api", "certificate renewal from kubeadm using the Kubernetes API "+ + "is deprecated and will be removed when 'certificates.k8s.io/v1' releases.") } func renewCert(flags *renewFlags, kdir string, internalcfg *kubeadmapi.InitConfiguration, handler *renewal.CertificateRenewHandler) error {