8000 [release-4.19] Use kubelet rotation 4.19 by praveenkumar · Pull Request #1085 · crc-org/snc · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[release-4.19] Use kubelet rotation 4.19 #1085

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: release-4.19
Choose a base branch
from
Open

[release-4.19] Use kubelet rotation 4.19 #1085

wants to merge 2 commits into from

Conversation

praveenkumar
Copy link
Member
@praveenkumar praveenkumar commented May 28, 2025
edited by sourcery-ai bot
Loading

Summary by Sourcery

Enable kubelet certificate auto-rotation for OpenShift 4.19 by deploying a bootstrap credential manager and integrate its workflow into the snc.sh and microshift.sh scripts while updating default mirror URLs.

New Features:

  • Automate kubelet bootstrap credential generation and replacement via a new kubelet-bootstrap-cred-manager DaemonSet
  • Add script steps to perform immediate certificate rotation in snc.sh using the bootstrap cred manager without waiting 24 hours

Enhancements:

  • Update default mirror URLs in snc.sh and microshift.sh to point to the stable OpenShift 4 (ocp) repository
  • Set default MicroShift version to 4.19 and adjust the corresponding repository path

@praveenkumar
Add steps for bootstrap cert rotation after creating the cluster
8e53dd9 
This is cherrypick from 6b4b26a

Till now we didn't face any issue for cert rotation but recently when we
faced the issue and asked about cert dev, he pointed out that this step
is still required and should be part of script if you stop your cluster
before 24 hour and do time skew for cert rotation.

- https://issues.redhat.com/browse/OCPBUGS-56551
- https://blog.openshift.com/enabling-openshift-4-clusters-to-stop-and-resume-cluster-vms/
@sourcery-ai Sourcery AI
Copy link
sourcery-ai bot commented May 28, 2025
edited
Loading

Reviewer's Guide

This PR backports the Kubelet certificate rotation workflow for release-4.19 by updating mirror URLs to production repos, embedding inline rotation steps in the SNC script to bypass the 24h wait, and adding a DaemonSet manifest to automate kubeconfig rotation.

Sequence Diagram for SNC Script Certificate Rotation Steps

sequenceDiagram
    actor UserCI as "User/CI"
    participant snc_sh as "snc.sh script"
    participant oc_cli as "oc CLI"
    participant K8sAPI as "Kubernetes API Server"
    participant KBM_DS as "Kubelet Bootstrap Cred Manager DS"

    UserCI->>snc_sh: Execute script

    snc_sh->>oc_cli: apply -f kubelet-bootstrap-cred-manager-ds.yaml
    oc_cli->>K8sAPI: Apply DaemonSet (KBM_DS)
    K8sAPI-->>KBM_DS: Create/Schedule Pods
    activate KBM_DS
    note right of KBM_DS: KBM_DS pods start rotating kubeconfigs on nodes

    snc_sh->>oc_cli: delete secrets csr-signer-signer, csr-signer
    oc_cli->>K8sAPI: Delete Secrets
    K8sAPI-->>oc_cli: Secrets Deleted Response

    snc_sh->>oc_cli: adm wait-for-stable-cluster
    oc_cli->>K8sAPI: Monitor cluster stability
    K8sAPI-->>oc_cli: Cluster Stable Response
    oc_cli-->>snc_sh: Cluster is stable

    snc_sh->>snc_sh: Potentially renew_certificates() (existing step)
    snc_sh->>oc_cli: wait-for install-complete (existing step)
    oc_cli->>K8sAPI: Monitor install completion
    K8sAPI-->>oc_cli: Install Complete Response
    oc_cli-->>snc_sh: Install is complete

    snc_sh->>oc_cli: delete daemonset kubelet-bootstrap-cred-manager
    oc_cli->>K8sAPI: Delete DaemonSet (KBM_DS)
    K8sAPI-->>KBM_DS: Terminate Pods
    deactivate KBM_DS
    K8sAPI-->>oc_cli: DaemonSet Deleted Response

    snc_sh->>oc_cli: wait --for=delete daemonset KBM_DS
    oc_cli->>K8sAPI: Check KBM_DS deletion status
    K8sAPI-->>oc_cli: Deletion Confirmed Response
    oc_cli-->>snc_sh: KBM_DS deletion confirmed
Loading

Class Diagram: kubelet-bootstrap-cred-manager DaemonSet Configuration

classDiagram
    class KubeletBootstrapCredManagerDaemonSet {
      <<Resource: DaemonSet>>
      +apiVersion: "apps/v1"
      +kind: "DaemonSet"
      +metadata_name: "kubelet-bootstrap-cred-manager"
      +metadata_namespace: "openshift-machine-config-operator"
      +spec_selector_matchLabels_k8sApp: "kubelet-bootstrap-cred-manager"
      +spec_template_spec_nodeSelector_masterRole: ""
      +spec_template_spec_priorityClassName: "system-cluster-critical"
      +spec_template_spec_restartPolicy: "Always"
      +container_name: "kubelet-bootstrap-cred-manager"
      +container_image: "quay.io/openshift/origin-cli:latest"
      +container_command: "['/bin/bash', '-ec']"
      +container_args: "Bash script for kubeconfig rotation (see YAML)"
      +container_securityContext_privileged: true
      +container_volumeMount_path: "/etc/kubernetes/"
      +volume_hostPath_path: "/etc/kubernetes/"
    }
Loading

File-Level Changes

Change Details Files
Updated default mirror URLs and aligned MicroShift version
  • Switched MIRROR default from ocp-dev-preview to ocp in snc.sh
  • Updated MIRROR, MIRROR_REPO defaults and set MICROSHIFT_VERSION to 4.19 in microshift.sh
 snc.sh
microshift.sh
Integrated inline Kubelet cert rotation steps in SNC
  • Applied kubelet-bootstrap-cred-manager DaemonSet before install completion
  • Deleted csr-signer-signer and csr-signer secrets
  • Waited for stable cluster state
  • Removed bootstrap-cred-manager DaemonSet and awaited its deletion
 snc.sh
Added DaemonSet manifest for kubelet-bootstrap credential management
  • Created kubelet-bootstrap-cred-manager DaemonSet with origin-cli loop to generate and install kubeconfigs
  • Mounted /etc/kubernetes for direct kubeconfig replacement
  • Set privileged securityContext, master nodeSelector, and critical tolerations
 kubelet-bootstrap-cred-manager-ds.yaml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@openshift-ci openshift-ci bot requested review from anjannath and cfergeau May 28, 2025 15:35
@openshift-ci OpenShift CI
Copy link
openshift-ci bot commented May 28, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign praveenkumar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@praveenkumar
Update mirror url from ocp-dev-preview to ocp
d2c0059 
Since now ocp-4.19 is available as rc so latest build now available
`ocp` landing page instead `ocp-dev-preview` one.
@praveenkumar praveenkumar force-pushed the use_kubelet_rotation_4.19 branch from 17ae3bc to d2c0059 Compare May 28, 2025 16:37
@praveenkumar
Copy link
Member Author

/retest

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@anjannath anjannath Awaiting requested review from anjannath

@cfergeau cfergeau Awaiting requested review from cfergeau

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@praveenkumar
0