kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

manual-ca-rotation: adjust note for "--client-ca-file" 

- Instead of telling the users to remove the flag, tell them
that they can point to a copy of the new CA for --client-ca-file
--cluster-signing-cert-file that is not in a bundle with the old CA.
- Don't reference the kubeadm issue. If sig-auth has a tracking
issue for --client-ca-file / --cmanual-ca-rotation: adjust note for "--client-ca-file"

- Instead of telling the users to remove the --client-ca-file flag,
tell them that they can point to a copy of the new CA.
Mention the same for --cluster-signing-cert-file.
- Don't reference the kubeadm issue. If sig-auth has a tracking
issue for --client-ca-file / --cluster-signing-cert-file and bundles
we can add that at some point.
pull/24423/head
Lubomir I. Ivanov 2020-10-08 04:09:35 +03:00
parent 0703805305
commit 61e330d06d
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md
View File

@ -38,9 +38,11 @@ Configurations with a single API server will experience unavailability while the
Any service account created after this point will get secrets that include both old and new CAs.
{{< note >}}
Remove the flag `--client-ca-file` from the *Kubernetes controller manager* configuration.
You can also replace the existing client CA file or change this configuration item to reference a new, updated CA.
[Issue 1350](https://github.com/kubernetes/kubeadm/issues/1350) tracks an issue with *Kubernetes controller manager* being unable to accept a CA bundle.
The files specified by the *Kubernetes controller manager* flags `--client-ca-file` and `--cluster-signing-cert-file`
cannot be CA bundles. If these flags and `--root-ca-file` point to the same `ca.crt` file which is now a
bundle (includes both old and new CA) you will face an error. To workaround this problem you can copy the new CA to a separate
file and make the flags `--client-ca-file` and `--cluster-signing-cert-file` point to the copy. Once `ca.crt` is no longer
a bundle you can restore the problem flags to point to `ca.crt` and delete the copy.
{{< /note >}}
1. Update all service account tokens to include both old and new CA certificates.