-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ KCP regenerates kubeconfigs before client certs expire #3140
✨ KCP regenerates kubeconfigs before client certs expire #3140
Conversation
1315126
to
85256b8
Compare
9cd076f
to
4b8eb85
Compare
4b8eb85
to
f9488ac
Compare
03f0bbb
to
5e1cdf8
Compare
Does this apply to secrets generated by CABPK when not using KCP? |
No, it only applies to KCP. Do we want to support this for non-KCP control planes? It'd just involve duplicating this code to the cluster controller AFAIK. |
@detiber what do you think? |
SGTM |
It does mean that this is another feature of the very wide and loosely defined set of expectations for a control plane provider to implement, but I think that's true of many features of KCP now |
ba24882
to
518efd9
Compare
@benmoss should probably add some docs around the new behavior (and lack of support for the non-KCP case), otherwise lgtm |
docs/book/src/developer/architecture/controllers/control-plane.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Jason DeTiberus <detiberusj@vmware.com>
This PR looks ready to go, @detiber wdyt? |
/milestone v0.3.7 |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: benmoss, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What this PR does / why we need it:
KCP will now automatically regenerate the Kubeconfig secret during cluster reconciliation. It will do so when the client certificate in it reaches it's half-life of 180 days.
Which issue(s) this PR fixes:
Fixes #3113
Side note: I'd like to propose deprecating
kubeconfig.New
as part of this, any thoughts? It's kind of confusing now whereNew
is essentially a private method that only gets called bygenerateKubeconfig
. Previously the only usage was fromCreateSecretWithOwner
./assign @nader-ziada @sedefsavas