kubeadm upgrade node not rotate certificate

Created on 4 Oct 2019  路  5Comments  路  Source: kubernetes/kubeadm

Versions

kubeadm version (use kubeadm version):
v1.15.0 and above

What happened?

kubeadm doc:

In Kubernetes v1.15.0 and later, kubeadm upgrade apply and kubeadm upgrade node will also automatically renew the kubeadm managed certificates on this node, including those stored in kubeconfig files. To opt-out, it is possible to pass the flag --certificate-renewal=false. For more details about certificate renewal see the certificate management documentation.

But the certificates were only updated on the first wizard where the command kubeadm upgrade apply was executed

on the second and third masters, the command kubeadm upgrade node was executed and the certificates for them remained untouched.
But when i use the kubeadm with option kubeadm upgrade node --certificate-renewal, the certificates will be updated

What you expected to happen?

Certificates must be renewed with command kubeadm upgrade node

How to reproduce it (as minimally and precisely as possible)?

install kube cluster with 3 master and upgrade it with kubeadm

kinbug kindocumentation lifecyclactive prioritimportant-longterm
Source
picture LuckySB
👍2

Most helpful comment

Thanks so much for a quick fix.

picture LuckySB on 6 Oct 2019
👍2

All 5 comments

Isn't the value of the flag 'true' by default?

neolit123 picture neolit123 on 4 Oct 2019

looking at the source this seems like a bug.

/kind bug
/assign

neolit123 picture neolit123 on 5 Oct 2019

@LuckySB

the fix is here:
https://github.com/kubernetes/kubernetes/pull/83528
but this will land in 1.17.

we can consider backporting to 1.15 and 1.16, but given there is a workaround and given the bug is non-critical, we might just add a note in:
https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal

neolit123 picture neolit123 on 5 Oct 2019

Thanks so much for a quick fix.

LuckySB picture LuckySB on 6 Oct 2019
👍2

let's keep this open, until we decide if we want to add documention note here https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal

neolit123 picture neolit123 on 6 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

andersla picture andersla  路  4Comments
jessfraz picture jessfraz  路  3Comments
mattmoyer picture mattmoyer  路  4Comments
danderson picture danderson  路  3Comments
atoato88 picture atoato88  路  4Comments