-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manual cherry pick: kubeadm: fix upgrading external CA cluster to 1.29 #124682
Manual cherry pick: kubeadm: fix upgrading external CA cluster to 1.29 #124682
Conversation
/triage accepted |
If the user has deleted ca.key from disk, this means that kubeadm cannot sign any new certificates on 'upgrade apply'. In 'upgrade apply' for 1.29 a call to generate the separate 'super-admin.conf' and apply the RBAC for the new 'admin.conf' was added. This breaks for external CA user. If external CA is detected, show a warning that the user must perform manual steps and apply only the RBAC without generating the new 'super-admin.conf' and 'admin.conf'.
b8d1f63
to
fa26f8a
Compare
local tests
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
LGTM label has been added. Git tree hash: 68538c22b381d81683df36210b36fb366b2c9fa3
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
What this PR does / why we need it:
If the user doesn't have ca.key on disk (external CA mode), this means that kubeadm cannot sign any new certificates on 'upgrade apply'. In 'upgrade apply' for 1.29 a call to generate the separate 'super-admin.conf' and apply the RBAC for the new 'admin.conf' was added. This breaks for external CA user.
If external CA is detected, show a warning that the user must perform manual steps and apply only the RBAC without generating the new 'super-admin.conf' and 'admin.conf'.
In 1.30 this code no longer exists and that's why this is a manual cherry pick / fix for 1.29 only.
Which issue(s) this PR fixes:
Fixes kubernetes/kubeadm#3055
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: