Skip to content

Monitor EKS Anywhere cluster certificates #9815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 25, 2025
Merged

Monitor EKS Anywhere cluster certificates #9815

merged 1 commit into from
Jun 25, 2025

Conversation

panktishah26
Copy link
Member

@panktishah26 panktishah26 commented Jun 13, 2025
edited
Loading

Description of changes:
Currently if we want to monitor cluster's control plane and external etcd certificates, we follow these steps https://anywhere.eks.amazonaws.com/docs/clustermgmt/certificate-management/manual-steps-renew-certs/

This PR adds a way to monitor cluster certificates from EKS-A cluster object.

status:
  childrenReconciledGeneration: 4
  clusterCertificateInfo:
  - machine: test-etcd-2tpp5
    expiresInDays: 339
  - machine: test-etcd-2vxpb
    expiresInDays: 339
  - machine: test-etcd-fxp59
    expiresInDays: 339
  - machine: test-jwv6l
    expiresInDays: 339
  - machine: test-p4hrf
    expiresInDays: 339
  - machine: test-b4gt7
    expiresInDays: 339

The status field will have expiresInDays for each control plane and external etcd machine.

Testing (if applicable):

Documentation added/planned (if applicable):

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@eks-distro-bot eks-distro-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 13, 2025
@codecov Codecov
Copy link

codecov bot commented Jun 13, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 81.81818% with 22 lines in your changes missing coverage. Please review.

Project coverage is 69.90%. Comparing base (0c368ff) to head (2a7cc00).
Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
pkg/certificates/scanner.go 82.56% 18 Missing and 1 partial ⚠️
controllers/cluster_controller.go 0.00% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #9815      +/-   ##
==========================================
+ Coverage   69.85%   69.90%   +0.04%     
==========================================
  Files         675      676       +1     
  Lines       50321    50442     +121     
==========================================
+ Hits        35152    35260     +108     
- Misses      13361    13375      +14     
+ Partials     1808     1807       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@panktishah26 panktishah26 force-pushed the monitor-cluster-certificates branch 2 times, most recently from 47083bf to 1d6243a Compare June 17, 2025 17:57
sp1999
sp1999 reviewed Jun 17, 2025
View reviewed changes
pkg/api/v1alpha1/cluster_types.go Outdated
// ClusterCertificateInfo contains information about certificate expiration for cluster components.
type ClusterCertificateInfo struct {
// Component defines the machine name.
Component string `json:"component"`
Copy link
Member

@sp1999 sp1999 Jun 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we call it machine instead of component to make it more specific and less ambiguous in the status?

2ez4szliu
2ez4szliu reviewed Jun 17, 2025
View reviewed changes
pkg/certificates/scanner.go Outdated
}
}

if len(machines) == 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will we hit this condition?

@panktishah26 panktishah26 force-pushed the monitor-cluster-certificates branch from 1d6243a to 2a7cc00 Compare June 25, 2025 20:19
@2ez4szliu
Copy link
Member

/lgtm

@rajeshvenkata
Copy link
Member

/lgtm

sp1999
sp1999 reviewed Jun 25, 2025
View reviewed changes
pkg/certificates/scanner.go
defer conn.Close()

certs := conn.ConnectionState().PeerCertificates
if len(certs) == 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When/why would we ever run into this situation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can only think of a scenario when during an upgrade, there might be a brief moment when certificates aren't available yet.

@sp1999
Copy link
Member

sp1999 commented Jun 25, 2025

/lgtm

@panktishah26
Copy link
Member Author

/approve

@eks-distro-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: panktishah26

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@eks-distro-bot eks-distro-bot merged commit e37fda0 into aws:main Jun 25, 2025
13 of 15 checks passed
@panktishah26
Copy link
Member Author

/cherry-pick release-0.23

@eks-distro-pr-bot
Copy link
Contributor

@panktishah26: new pull request created: #9854

In response to this:

/cherry-pick release-0.23

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@eks-distro-pr-bot eks-distro-pr-bot mentioned this pull request Jun 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@2ez4szliu 2ez4szliu 2ez4szliu left review comments

@sp1999 sp1999 sp1999 left review comments

Assignees

@rajeshvenkata rajeshvenkata

@2ez4szliu 2ez4szliu

@sp1999 sp1999

Labels
approved lgtm size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@panktishah26 @2ez4szliu @rajeshvenkata @sp1999 @eks-distro-bot @eks-distro-pr-bot