chore(backend): add TLS certificate rotation documentation and helper scripts. Fixes #12328 #12457
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @rahul810050. Thanks for your PR. I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
backend/README.md
Outdated
| @@ -1,359 +1,194 @@ | |||
| # Kubeflow Pipelines Backend | |||
| # Kubeflow Pipelines backend API | |||
There was a problem hiding this comment.
It looks like you've made some changes to this file that are out of scope for this PR - would you mind reverting the changes that are separate from ## TLS Certificate Rotation (Pod-to-Pod TLS)?
backend/README.md
Outdated
| [Delve](https://github.com/go-delve/delve), builds the binary without compiler optimizations so the binary matches the | ||
| source code (via `GCFLAGS="all=-N -l"`), and copies the source code to the destination container for the debugger. | ||
| Any changes to the Driver code will require rebuilding this container image. | ||
| # Update the Kubernetes TLS secret |
There was a problem hiding this comment.
A couple of your headings (including this one) have incorrect formatting - as this is a sub-heading below Recommended rotation procedure, it should be preceded by ####
backend/README.md
Outdated
| ### Context | ||
|
|
||
| You can also access the Kubeflow Pipelines web interface at [http://localhost:3000](http://localhost:3000). | ||
| When pod-to-pod TLS is enabled (see PR #12082), backend components (API server, launcher, persistence agent, cache, metadata writer, etc.) use TLS certificates stored in Kubernetes Secret(s). These certificates expire and must be rotated periodically. Updating the Secret object does not automatically make running pods load the new certificate: a restart (rolling restart) of the affected deployments is required so that they mount/read the new secret. |
There was a problem hiding this comment.
You don't need to reference the PR here
backend/README.md
Outdated
| ```bash | ||
| mysql -h 127.0.0.1 -u root | ||
| ``` | ||
| ### Which secrets and components are typically impacted |
There was a problem hiding this comment.
You can remove "typically", as the same deployments will be impacted each time
backend/README.md
Outdated
| kubectl -n kubeflow scale deployment ml-pipeline-scheduledworkflow --replicas=0 | ||
| ``` | ||
| * `pipelines-api-server` | ||
| * `pipelines-persistenceagent` |
There was a problem hiding this comment.
| * `pipelines-persistenceagent` | |
| * `ml-pipeline-persistenceagent` |
backend/README.md
Outdated
| ```bash | ||
| kubectl -n kubeflow scale deployment ml-pipeline-scheduledworkflow --replicas=0 | ||
| ``` | ||
| * `pipelines-api-server` |
There was a problem hiding this comment.
| * `pipelines-api-server` | |
| * `ml-pipeline-apiserver` |
backend/README.md
Outdated
| ``` | ||
| * `pipelines-api-server` | ||
| * `pipelines-persistenceagent` | ||
| * `pipelines-metadata-writer` |
There was a problem hiding this comment.
| * `pipelines-metadata-writer` | |
| * `metadata-writer` |
backend/README.md
Outdated
| * `pipelines-api-server` | ||
| * `pipelines-persistenceagent` | ||
| * `pipelines-metadata-writer` | ||
| * `pipelines-cache` |
There was a problem hiding this comment.
cache deployment does not require CA cert
backend/README.md
Outdated
| * `pipelines-persistenceagent` | ||
| * `pipelines-metadata-writer` | ||
| * `pipelines-cache` | ||
| * `(Any other pipeline-related deployments that reference the TLS secret)` |
There was a problem hiding this comment.
Include also:
metadata-envoy-deployment, metadata-grpc-deployment, ml-pipeline-scheduledworkflow, ml-pipeline-ui
|
Hii @alyssacgoins !! Thanks for the clarifications!! |
…scripts. Fixes kubeflow#12328 Signed-off-by: rahul810050 <rahul810050@gmail.com>
rahul810050
force-pushed
the
docs/backend/tls-cert-rotation
branch
from
1336f6f to
2830e7d
Compare
2 participants
chore(backend): add TLS certificate rotation documentation and helper scripts. Fixes #12328
Description of your changes:
This PR adds missing documentation for TLS certificate rotation required when using the pod-to-pod TLS feature introduced in PR #12082. When TLS secrets are renewed, backend services (API server, persistence agent, metadata writer, cache server, etc.) do not automatically reload updated certificate data. A rolling restart is required. This behavior was previously undocumented.
The updates included in this PR:
Documentation update (
backend/README.md):server.crt/server.key)kubectl create secret tls ... | kubectl apply -f -kubectl rollout restartHelper scripts added (optional but helpful for operators):
scripts/find-tls-refs.shIdentifies which pods/deployments reference the TLS secret (via volumes or env secretKeyRef).
Helps operators know exactly which deployments must be restarted.
scripts/rotate-tls.shApplies new TLS cert/key to the Kubernetes Secret and automatically restarts all deployments referencing the secret, waiting for rollout completion.
General improvements:
These changes directly address the missing operational documentation noted in issue #12328 and align with the maintainers’ suggestion to include example commands.
Checklist:
Learn more about the pull request title convention used in this repository.
Links