Page MenuHomePhabricator
Create Task
Maniphest T280301

Refresh certs that are not controlled by kubeadm
Closed, ResolvedPublic
Actions

Description

When upgrading the cluster, it's a good idea to refresh certs that aren't controlled by either kubeadm (which get updated during the upgrade process) or maintain-kubeusers (user certs mostly). That means for the Prometheus server and the webhook controllers.

For the admission controller webhooks, rerun the get-cert.sh script similar to the doc, but do not bother the ca-bundle.sh script as that is no longer necessary at all except for local testing. That should inject the secret. To use the secret, delete the appropriate pods in the ingress-admission and registry-admission workspaces to restart them one at a time. Generally the README on the repos for these are the most authoritative docs if in doubt.

For the Prometheus ones, follow the doc on wikitech to recreate the certs.

Certs expire in a year, so they are probably getting old at this point.

Details

SubjectRepoBranchLines +/-
toolforge: prometheus: renew k8s TLS certoperations/puppetproduction+18 -19
Customize query in gerrit

Related Objects
Search...

Event Timeline

Bstorm created this task.Apr 15 2021, 10:31 PM
taavi triaged this task as Medium priority.Apr 17 2021, 9:03 AM
taavi subscribed.May 8 2021, 4:58 PM

The last time this was done (T250874) was about 11 months ago, so we have another month remaining before the certificates expire.

taavi raised the priority of this task from Medium to High.May 25 2021, 2:49 PM

Raising this to high given how little lifetime these certificates have remaining

Stashbot added a comment.Jun 3 2021, 4:49 PM

Mentioned in SAL (#wikimedia-cloud) [2021-06-03T16:49:16Z] <majavah> renew registry-admission-webhook certificates T280301

Stashbot added a comment.Jun 3 2021, 4:55 PM

Mentioned in SAL (#wikimedia-cloud) [2021-06-03T16:55:00Z] <majavah> renew ingress-admission-controller certificates T280301

Stashbot added a comment.Jun 3 2021, 5:06 PM

Mentioned in SAL (#wikimedia-cloud) [2021-06-03T17:06:41Z] <majavah> renew admission webhook certificates T280301

gerritbot added a comment.Jun 3 2021, 5:17 PM

Change 698009 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] toolforge: prometheus: renew k8s TLS cert

https://gerrit.wikimedia.org/r/698009

gerritbot added a project: Patch-For-Review.Jun 3 2021, 5:17 PM
Stashbot added a comment.Jun 3 2021, 6:27 PM

Mentioned in SAL (#wikimedia-cloud) [2021-06-03T18:26:58Z] <majavah> renew prometheus kubernetes certificate T280301

gerritbot added a comment.Jun 3 2021, 6:36 PM

Change 698009 merged by Bstorm:

[operations/puppet@production] toolforge: prometheus: renew k8s TLS cert

https://gerrit.wikimedia.org/r/698009

Maintenance_bot removed a project: Patch-For-Review.Jun 3 2021, 7:11 PM
taavi closed this task as Resolved.Jun 8 2021, 6:39 PM
taavi claimed this task.

This was done last week (after they expired).

Restricted Application added a project: User-Majavah. · View Herald TranscriptJun 8 2021, 6:39 PM
Bstorm added a comment.Jun 8 2021, 6:43 PM

Did that include the webhook controllers? I wasn't clear on that. I thought it was just the prometheus one. The webhooks need a script re-run from their repos to refresh the cert.

Bstorm added a comment.Jun 8 2021, 6:44 PM

Oh yeah, it's in SAL :) Thanks for closing this.

taavi mentioned this in T308402: toolforge: Refresh certs that are not controlled by kubeadm (mid 2022 edition).May 15 2022, 12:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL