When the PublicKeysECDSA feature gate is used or the new
v1beta4.ClusterConfiguration.EncryptionAlgorithm field is used
with "ECDSA-P256" as value, make sure that this is reflected
in the "cert spec" used to generate private keys and they end
up as "EC keys".
When doing a kubelet health check on init/join, do not
hardcode the "localhost" address. Instead, use the
KubeletConfiguration HealthzBindAddress and HealthzPort
fields.
Currently if etcd.yaml does not have a diff on "kubeadm upgrade"
certificate renewal for it is also skipped.
Check if kube-apiserver.yaml needs an upgrade, if so and if
cert renewal is not disabled, renew etcd's certs and restart
its static pod.
With the new `cri-client` staging repository it's finally possible to
decouple `kubeadm` from `crictl`.
Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
The feature was left in alpha for a few releases, since
k8s started planning on a broader feature UserNamespacesSupport,
which is what kubeadm should integrate with.
UserNamespacesSupport graduated to beta in 1.30.
Once it graduates to GA kubeadm can start using it an remove
RootlessControlPlane.
Currently, there are some unit tests that are failing on
Windows due to various reasons:
- Cannot remove a directory if there's a file open in that directory.
- Paths may have / or \ on Windows.
When using UpgradeNodeConfiguration.IgnorePreflightErrors the field
is currently ignored in favor of the "defualted" field created
by configutil.FetchInitConfigurationFromCluster.
Fix this bug.
Add Upgrade{Apply|Node}Configuration.{ImagePullPolicy|ImagePullSerial}.
The same feature already exists in NodeRegistrationOptions for
{Init|Join}Configuration.
Use GetCurrentProcessToken() instead of checking the groups of a user.
The Go stdlib way of fetching the groups of an user appears
to be failing on some Windows setups. Which could be a regression
in later Go versions, or simply the code does not work on certain
setups.
Allow the user to pass custom cert validity period with
ClusterConfiguration.CertificateValidityPeriod and
CACertificateValidityPeriod.
The defaults remain 1 year for regular cert and 10 years for CA.
Show warnings if the provided values are more than the defaults.
Additional changes:
- In "certs show-expiration" use HumanDuration() to print
more detailed durations instead of ShortHumanDuration().
- Add a new kubeadm util GetStartTime() which can be used
to consistently get a UTC time for tasks like writing certs
and unit tests.
- Update unit tests to validate the new customizable NotAfter.
Instead of erroring during the preflight check 'CreateJob'
from "upgrade" commands when there are no schedulable nodes,
show a warning.
This can happen in single node clusters.
Also increase the Job TTL after completion to 20 seconds
to make sure it's more than the timeout what waits
for the Job to complete.
