Skip to content

Renew etcd certificates generated by custom etcd CA#7796

Open
byDimasik wants to merge 1 commit into
k0sproject:mainfrom
byDimasik:regenerate-etcd-certs-from-custom-ca
Open

Renew etcd certificates generated by custom etcd CA#7796
byDimasik wants to merge 1 commit into
k0sproject:mainfrom
byDimasik:regenerate-etcd-certs-from-custom-ca

Conversation

@byDimasik

@byDimasik byDimasik commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Description

k0s renews certs issued by a custom cluster CA,
and it should do the same for certs issued by
a custom etcd CA.

Fixes #7795

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

How Has This Been Tested?

  • Manual test
  • Auto test added

Checklist

  • My code follows the style guidelines of this project
  • My commit messages are signed-off
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings

@byDimasik byDimasik requested review from a team as code owners June 12, 2026 22:00
@byDimasik byDimasik requested review from jnummelin and ncopa June 12, 2026 22:00
@byDimasik byDimasik force-pushed the regenerate-etcd-certs-from-custom-ca branch from 623cb17 to 6b781e4 Compare June 12, 2026 22:35
@byDimasik
Renew etcd certificates generated by custom etcd CA
ceae598 
k0s renews certs issued by a custom cluster CA,
and it should do the same for certs issued by
a custom etcd CA.

Fixes k0sproject#7795

Signed-off-by: Dmitrii Shishliannikov <dshishliannikov@mirantis.com>
@byDimasik byDimasik force-pushed the regenerate-etcd-certs-from-custom-ca branch from 6b781e4 to ceae598 Compare June 16, 2026 15:32
@byDimasik

byDimasik commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

@twz123 thanks for replaying the tests for me. I looked into the logs from the failed runs and discovered an actual issue with my change. It turned out there are 2 independent cert managers; etcd has its own, and the order of operation is as follows:

  1. Common cert manager for all but etcd certs runs
  2. Etcd component starts
  3. Etcd component uses a second cert manager just for etcd certs

The failure is on step 1 where we expect etcd CA to be created, but it's only created on step 3, so step 1 fails with etcd ca not found error.

I made a change so that I log a warning instead of failing when etcd CA isn't present - https://github.com/k0sproject/k0s/pull/7796/changes#diff-a79868c58696b375941a0e5a2b1787adab963bde4947a06d3f2402e131ba3c3bR226-R232

It should work now.

@byDimasik

byDimasik commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

it seems to me the test failures are unrelated to my change. Some happened even before the test started: INTERNAL_ERROR from golang.org. Others finished with random timeouts, the logs didn't show anything useful or related to my change

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ncopa ncopa Awaiting requested review from ncopa ncopa is a code owner automatically assigned from k0sproject/k0s-maintainers

@jnummelin jnummelin Awaiting requested review from jnummelin jnummelin is a code owner automatically assigned from k0sproject/k0s-maintainers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

etcd certificates issued by custom CA are not regenerated

1 participant

@byDimasik