Only roll pods once for ClientsCa cert renewal #10814
Open
+39
−99
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update CaReconciler to only roll pods when cluster CA key is replaced, not when clients CA key is replaced. Currently we do two rolling updates for the key replacement, once in CaReconciler, and once in component reconcilers, e.g. KafkaReconciler. This is not required for clients CA since is is only used for trust. Signed-off-by: Katherine Stanley <[email protected]>
katheris
force-pushed
the
caReconcilerOnlyRollForClusterCa
branch
from
1fa4618
to
daee331
Compare
|
/azp run regression |
|
Azure Pipelines successfully started running 1 pipeline(s). |
tombentley
reviewed
Nov 17, 2024
| @@ -375,38 +375,29 @@ Future<Void> reconcileClusterOperatorSecret(Clock clock) { | |||
|
|
|||
| /** | |||
| * Perform a rolling update of the cluster so that CA certificates get added to their truststores, or expired CA | |||
| * certificates get removed from their truststores. Note this is only necessary when the CA certificate has changed | |||
| * due to a new CA key. It is not necessary when the CA certificate is replace while retaining the existing key. | |||
| * certificates get removed from their truststores. Note this is only necessary when the Cluster CA certificate has changed | |||
There was a problem hiding this comment.
I'm trying to understand this doc and the method name. The doc says it's only needed for the cluster CA, but the method name doesn't make that distinction. Perhaps it should?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
Select the type of your PR
Description
Update CaReconciler to only roll pods when cluster CA key is replaced, not when clients CA key is replaced.
Currently we do two rolling updates for the key replacement, once in CaReconciler, and once in component reconcilers, e.g. KafkaReconciler. This is not required for clients CA since is is only used for trust.
Checklist
Please go through this checklist and make sure all applicable tasks have been done