Commits on Feb 6, 2024

1. Persist TLS certificate and key of antrea-controller …

   In clusters where upgrade is performed with rolling update of Nodes and
   images of new versions are only available on new Nodes, the deployment
   strategy of antrea-controller is set to RollingUpdate to prevent
   antrea-controller Pod from being deleted immediately when the deployment
   is updated, leading to a period in which no antrea-controller is
   running. However, it also causes two instances of antrea-controller to
   run simultaneously in a short time, making it possible that the old
   instance overrides the CA bundle stored in antrea-ca ConfigMap,
   APIServices, and Webhooks, while the new instance won't update them
   again.
   
   The commit makes two changes to fix the problem:
   
   1. CACertController will periodically sync the CA cert to improve the
      robustness.
   
   2. Self-signed TLS certificate and key of antrea-controller will be
      stored in a Secret and will be reused after restarting controller.
      This makes running multiple antrea-controller instances
      simultaneously possible and makes restart of antrea-controller
      smoother as antrea-agents don't need to retrieve a new CA bundle most
      of the time.
   
   Besides, the change is helpful for implementing high-availability of
   antrea-controller in the future.
   
   Signed-off-by: Quan Tian <qtian@vmware.com>

   

   tnqn committed Feb 6, 2024
   Configuration menu

   • View commit details
   • Copy full SHA for 94cd0cd
   • Browse repository at this point

   Copy the full SHA

   94cd0cd View commit details

   Browse the repository at this point in the history