Skip to content

Commit 56d4c7e

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #1665 from vrutkovs/revert-1661-revert-1652
NO-JIRA: Re-apply "certrotationcontroller: set AutoRegenerateAfterOfflineExpiry for generated certificates"
2 parents d2e1a0d + a64a08c commit 56d4c7e

File tree

1 file changed

+50
-25
lines changed

1 file changed

+50
-25
lines changed

pkg/operator/certrotationcontroller/certrotationcontroller.go

Lines changed: 50 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -134,7 +134,8 @@ func newCertRotationController(
134134
Namespace: operatorclient.OperatorNamespace,
135135
Name: "aggregator-client-signer",
136136
AdditionalAnnotations: certrotation.AdditionalAnnotations{
137-
JiraComponent: "kube-apiserver",
137+
JiraComponent: "kube-apiserver",
138+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'",
138139
},
139140
Validity: 30 * rotationDay,
140141
Refresh: 15 * rotationDay,
@@ -148,7 +149,8 @@ func newCertRotationController(
148149
Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace,
149150
Name: "kube-apiserver-aggregator-client-ca",
150151
AdditionalAnnotations: certrotation.AdditionalAnnotations{
151-
JiraComponent: "kube-apiserver",
152+
JiraComponent: "kube-apiserver",
153+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'",
152154
},
153155
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.GlobalMachineSpecifiedConfigNamespace).Core().V1().ConfigMaps(),
154156
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.GlobalMachineSpecifiedConfigNamespace).Core().V1().ConfigMaps().Lister(),
@@ -159,7 +161,8 @@ func newCertRotationController(
159161
Namespace: operatorclient.TargetNamespace,
160162
Name: "aggregator-client",
161163
AdditionalAnnotations: certrotation.AdditionalAnnotations{
162-
JiraComponent: "kube-apiserver",
164+
JiraComponent: "kube-apiserver",
165+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions openshift-apiserver'",
163166
},
164167
Validity: 30 * rotationDay,
165168
Refresh: 15 * rotationDay,
@@ -183,7 +186,8 @@ func newCertRotationController(
183186
Namespace: operatorclient.OperatorNamespace,
184187
Name: "kube-apiserver-to-kubelet-signer",
185188
AdditionalAnnotations: certrotation.AdditionalAnnotations{
186-
JiraComponent: "kube-apiserver",
189+
JiraComponent: "kube-apiserver",
190+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'",
187191
},
188192
Validity: 1 * 365 * defaultRotationDay, // this comes from the installer
189193
// Refresh set to 80% of the validity.
@@ -199,7 +203,8 @@ func newCertRotationController(
199203
Namespace: operatorclient.OperatorNamespace,
200204
Name: "kube-apiserver-to-kubelet-client-ca",
201205
AdditionalAnnotations: certrotation.AdditionalAnnotations{
202-
JiraComponent: "kube-apiserver",
206+
JiraComponent: "kube-apiserver",
207+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'",
203208
},
204209
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
205210
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
@@ -210,7 +215,8 @@ func newCertRotationController(
210215
Namespace: operatorclient.TargetNamespace,
211216
Name: "kubelet-client",
212217
AdditionalAnnotations: certrotation.AdditionalAnnotations{
213-
JiraComponent: "kube-apiserver",
218+
JiraComponent: "kube-apiserver",
219+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[sig-cli] Kubectl logs logs should be able to retrieve and filter logs [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]'",
214220
},
215221
Validity: 30 * rotationDay,
216222
Refresh: 15 * rotationDay,
@@ -263,7 +269,8 @@ func newCertRotationController(
263269
Namespace: operatorclient.TargetNamespace,
264270
Name: "localhost-serving-cert-certkey",
265271
AdditionalAnnotations: certrotation.AdditionalAnnotations{
266-
JiraComponent: "kube-apiserver",
272+
JiraComponent: "kube-apiserver",
273+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
267274
},
268275
Validity: 30 * rotationDay,
269276
Refresh: 15 * rotationDay,
@@ -316,7 +323,8 @@ func newCertRotationController(
316323
Namespace: operatorclient.TargetNamespace,
317324
Name: "service-network-serving-certkey",
318325
AdditionalAnnotations: certrotation.AdditionalAnnotations{
319-
JiraComponent: "kube-apiserver",
326+
JiraComponent: "kube-apiserver",
327+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
320328
},
321329
Validity: 30 * rotationDay,
322330
Refresh: 15 * rotationDay,
@@ -370,7 +378,8 @@ func newCertRotationController(
370378
Namespace: operatorclient.TargetNamespace,
371379
Name: "external-loadbalancer-serving-certkey",
372380
AdditionalAnnotations: certrotation.AdditionalAnnotations{
373-
JiraComponent: "kube-apiserver",
381+
JiraComponent: "kube-apiserver",
382+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
374383
},
375384
Validity: 30 * rotationDay,
376385
Refresh: 15 * rotationDay,
@@ -424,7 +433,8 @@ func newCertRotationController(
424433
Namespace: operatorclient.TargetNamespace,
425434
Name: "internal-loadbalancer-serving-certkey",
426435
AdditionalAnnotations: certrotation.AdditionalAnnotations{
427-
JiraComponent: "kube-apiserver",
436+
JiraComponent: "kube-apiserver",
437+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'[bz-kube-apiserver] kube-apiserver should be accessible by clients using internal load balancer without iptables issues'",
428438
},
429439
Validity: 30 * rotationDay,
430440
Refresh: 15 * rotationDay,
@@ -504,7 +514,8 @@ func newCertRotationController(
504514
Namespace: operatorclient.OperatorNamespace,
505515
Name: "kube-control-plane-signer",
506516
AdditionalAnnotations: certrotation.AdditionalAnnotations{
507-
JiraComponent: "kube-apiserver",
517+
JiraComponent: "kube-apiserver",
518+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
508519
},
509520
Validity: 60 * defaultRotationDay,
510521
Refresh: 30 * defaultRotationDay,
@@ -518,7 +529,8 @@ func newCertRotationController(
518529
Namespace: operatorclient.OperatorNamespace,
519530
Name: "kube-control-plane-signer-ca",
520531
AdditionalAnnotations: certrotation.AdditionalAnnotations{
521-
JiraComponent: "kube-apiserver",
532+
JiraComponent: "kube-apiserver",
533+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
522534
},
523535
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
524536
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
@@ -529,7 +541,8 @@ func newCertRotationController(
529541
Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace,
530542
Name: "kube-controller-manager-client-cert-key",
531543
AdditionalAnnotations: certrotation.AdditionalAnnotations{
532-
JiraComponent: "kube-apiserver",
544+
JiraComponent: "kube-apiserver",
545+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-controller-manager'",
533546
},
534547
Validity: 30 * rotationDay,
535548
Refresh: 15 * rotationDay,
@@ -553,7 +566,8 @@ func newCertRotationController(
553566
Namespace: operatorclient.OperatorNamespace,
554567
Name: "kube-control-plane-signer",
555568
AdditionalAnnotations: certrotation.AdditionalAnnotations{
556-
JiraComponent: "kube-apiserver",
569+
JiraComponent: "kube-apiserver",
570+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
557571
},
558572
Validity: 60 * defaultRotationDay,
559573
Refresh: 30 * defaultRotationDay,
@@ -567,7 +581,8 @@ func newCertRotationController(
567581
Namespace: operatorclient.OperatorNamespace,
568582
Name: "kube-control-plane-signer-ca",
569583
AdditionalAnnotations: certrotation.AdditionalAnnotations{
570-
JiraComponent: "kube-apiserver",
584+
JiraComponent: "kube-apiserver",
585+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
571586
},
572587
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
573588
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
@@ -578,7 +593,8 @@ func newCertRotationController(
578593
Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace,
579594
Name: "kube-scheduler-client-cert-key",
580595
AdditionalAnnotations: certrotation.AdditionalAnnotations{
581-
JiraComponent: "kube-apiserver",
596+
JiraComponent: "kube-apiserver",
597+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-scheduler'",
582598
},
583599
Validity: 30 * rotationDay,
584600
Refresh: 15 * rotationDay,
@@ -602,7 +618,8 @@ func newCertRotationController(
602618
Namespace: operatorclient.OperatorNamespace,
603619
Name: "kube-control-plane-signer",
604620
AdditionalAnnotations: certrotation.AdditionalAnnotations{
605-
JiraComponent: "kube-apiserver",
621+
JiraComponent: "kube-apiserver",
622+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
606623
},
607624
Validity: 60 * defaultRotationDay,
608625
Refresh: 30 * defaultRotationDay,
@@ -616,7 +633,8 @@ func newCertRotationController(
616633
Namespace: operatorclient.OperatorNamespace,
617634
Name: "kube-control-plane-signer-ca",
618635
AdditionalAnnotations: certrotation.AdditionalAnnotations{
619-
JiraComponent: "kube-apiserver",
636+
JiraComponent: "kube-apiserver",
637+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
620638
},
621639
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
622640
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
@@ -627,7 +645,8 @@ func newCertRotationController(
627645
Namespace: operatorclient.TargetNamespace,
628646
Name: "control-plane-node-admin-client-cert-key",
629647
AdditionalAnnotations: certrotation.AdditionalAnnotations{
630-
JiraComponent: "kube-apiserver",
648+
JiraComponent: "kube-apiserver",
649+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
631650
},
632651
Validity: 30 * rotationDay,
633652
Refresh: 15 * rotationDay,
@@ -651,7 +670,8 @@ func newCertRotationController(
651670
Namespace: operatorclient.OperatorNamespace,
652671
Name: "kube-control-plane-signer",
653672
AdditionalAnnotations: certrotation.AdditionalAnnotations{
654-
JiraComponent: "kube-apiserver",
673+
JiraComponent: "kube-apiserver",
674+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
655675
},
656676
Validity: 60 * defaultRotationDay,
657677
Refresh: 30 * defaultRotationDay,
@@ -665,7 +685,8 @@ func newCertRotationController(
665685
Namespace: operatorclient.OperatorNamespace,
666686
Name: "kube-control-plane-signer-ca",
667687
AdditionalAnnotations: certrotation.AdditionalAnnotations{
668-
JiraComponent: "kube-apiserver",
688+
JiraComponent: "kube-apiserver",
689+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
669690
},
670691
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
671692
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
@@ -676,7 +697,8 @@ func newCertRotationController(
676697
Namespace: operatorclient.TargetNamespace,
677698
Name: "check-endpoints-client-cert-key",
678699
AdditionalAnnotations: certrotation.AdditionalAnnotations{
679-
JiraComponent: "kube-apiserver",
700+
JiraComponent: "kube-apiserver",
701+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
680702
},
681703
Validity: 30 * rotationDay,
682704
Refresh: 15 * rotationDay,
@@ -700,7 +722,8 @@ func newCertRotationController(
700722
Namespace: operatorclient.OperatorNamespace,
701723
Name: "node-system-admin-signer",
702724
AdditionalAnnotations: certrotation.AdditionalAnnotations{
703-
JiraComponent: "kube-apiserver",
725+
JiraComponent: "kube-apiserver",
726+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
704727
},
705728
Validity: 1 * 365 * defaultRotationDay,
706729
// Refresh set to 80% of the validity.
@@ -716,7 +739,8 @@ func newCertRotationController(
716739
Namespace: operatorclient.OperatorNamespace,
717740
Name: "node-system-admin-ca",
718741
AdditionalAnnotations: certrotation.AdditionalAnnotations{
719-
JiraComponent: "kube-apiserver",
742+
JiraComponent: "kube-apiserver",
743+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
720744
},
721745
Informer: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps(),
722746
Lister: kubeInformersForNamespaces.InformersFor(operatorclient.OperatorNamespace).Core().V1().ConfigMaps().Lister(),
@@ -727,7 +751,8 @@ func newCertRotationController(
727751
Namespace: operatorclient.OperatorNamespace,
728752
Name: "node-system-admin-client",
729753
AdditionalAnnotations: certrotation.AdditionalAnnotations{
730-
JiraComponent: "kube-apiserver",
754+
JiraComponent: "kube-apiserver",
755+
AutoRegenerateAfterOfflineExpiry: "https://github.com/openshift/cluster-kube-apiserver-operator/pull/1631,'operator conditions kube-apiserver'",
731756
},
732757
// This needs to live longer then control plane certs so there is high chance that if a cluster breaks
733758
// because of expired certs these are still valid to use for collecting data using localhost-recovery

0 commit comments

Comments
 (0)