Commit b88f1e1
committed
cluster: Update the location of aggregator-client certificate
aggregator-client-ca is a CA bundle, which contains a single signer
- aggregator-client-signer. The target certificate is created from
this signer - aggregator-client which can be tracked for cert expire
purpose.
/etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt
represent the CA bundle which contains the signer
aggregator-client-signer and create the target cert for
aggregator-client which is synced to /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/aggregator-client/tls.crt
During testing of 4.17.0.ec.1 found out that
`secrets/aggregator-client/tls.crt` is synced before `configmaps/aggregator-client-ca/ca-bundle.crt` which is due to the certsyncer controller.
If we wait for `configmaps/aggregator-client-ca/ca-bundle.crt` then it
takes more time ~10 mins but `secrets/aggregator-client/tls.crt` appear
early and good signal about cert is rotated. That's the reason we are
changing the location of it in this PR.
```
$ ls -l /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/
total 0
drwxr-xr-x. 2 root root 36 Jul 18 10:43 aggregator-client
$ ls -l /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/
total 0
drwxr-xr-x. 2 root root 27 Jul 18 10:44 aggregator-client-ca
```1 parent beca62f commit b88f1e1
1 file changed
+1
-1
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
32 | 32 | | |
33 | 33 | | |
34 | 34 | | |
35 | | - | |
| 35 | + | |
36 | 36 | | |
37 | 37 | | |
38 | 38 | | |
| |||
0 commit comments