You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
manual-ca-rotation: adjust note for "--client-ca-file"
- Instead of telling the users to remove the flag, tell them
that they can point to a copy of the new CA for --client-ca-file
--cluster-signing-cert-file that is not in a bundle with the old CA.
- Don't reference the kubeadm issue. If sig-auth has a tracking
issue for --client-ca-file / --cmanual-ca-rotation: adjust note for "--client-ca-file"
- Instead of telling the users to remove the --client-ca-file flag,
tell them that they can point to a copy of the new CA.
Mention the same for --cluster-signing-cert-file.
- Don't reference the kubeadm issue. If sig-auth has a tracking
issue for --client-ca-file / --cluster-signing-cert-file and bundles
we can add that at some point.
Copy file name to clipboardExpand all lines: content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -38,9 +38,11 @@ Configurations with a single API server will experience unavailability while the
38
38
Any service account created after this point will get secrets that include both old and new CAs.
39
39
40
40
{{< note >}}
41
-
Remove the flag `--client-ca-file` from the *Kubernetes controller manager* configuration.
42
-
You can also replace the existing client CA file or change this configuration item to reference a new, updated CA.
43
-
[Issue 1350](https://github.com/kubernetes/kubeadm/issues/1350) tracks an issue with *Kubernetes controller manager* being unable to accept a CA bundle.
41
+
The files specified by the *Kubernetes controller manager* flags `--client-ca-file` and `--cluster-signing-cert-file`
42
+
cannot be CA bundles. If these flags and `--root-ca-file` point to the same `ca.crt` file which is now a
43
+
bundle (includes both old and new CA) you will face an error. To workaround this problem you can copy the new CA to a separate
44
+
file and make the flags `--client-ca-file` and `--cluster-signing-cert-file` point to the copy. Once `ca.crt` is no longer
45
+
a bundle you can restore the problem flags to point to `ca.crt` and delete the copy.
44
46
{{< /note >}}
45
47
46
48
1. Update all service account tokens to include both old and new CA certificates.
0 commit comments