Revert kubelet server tls bootstrap (backport to v5) #1257
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why is this PR needed?
when the admin upgrades from 1.17 -> 1.18, the admin would do:
then at the first control plane node upgrade, usually the admin checks all the pods in the stable state, however, since the first control node sets
serverTLSBootstrap: true
which means it sends out kubelet server CSR in the cluster but there is no CSR signer right now (kucero installed later inskuba addon upgrade apply
).therefore, the metrics-server would be crash loopback state because the kubelet server does not have it's server certificate right now (it seems like the kubelet does not honor in-disk kubelet.crt which is generated by skuba if
serverTLSBootstrap: true
.What does this PR do?
serverTLSBootstrap: true
but instead skuba generates the kubelet server certificateAnything else a reviewer needs to know?
It's a backport PR to
release-caasp-5.0.0
, related to #1248.Info for QA
This is info for QA so that they can validate this. This is mandatory if this PR fixes a bug.
If this is a new feature, a good description in "What does this PR do" may be enough.
Related info
Info that can be relevant for QA:
Status BEFORE applying the patch
The kubelet configuration
/var/lib/kubelet/config.yaml
would haveserverTLSBootstrap: true
in fresh install or upgraded cluster.Status AFTER applying the patch
The kubelet configuration
/var/lib/kubelet/config.yam
l would not haveserverTLSBootstrap: true
in fresh install or upgraded cluster.Docs
If docs need to be updated, please add a link to a PR to https://github.com/SUSE/doc-caasp.
At the time of creating the issue, this PR can be work in progress (set its title to [WIP]),
but the documentation needs to be finalized before the PR can be merged.
Merge restrictions
(Please do not edit this)
We are in v4-maintenance phase, so we will restrict what can be merged to prevent unexpected surprises: