-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix advice about checking certificate expiry #45127
Conversation
In this section - I found the provided commands didn't generate the desired results. The proposed commands seem to work for me. Validated with: kubectl version Client Version: v1.28.6 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.6 openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) base64 (GNU coreutils) 8.32
Welcome @wushka00! |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor detail. Otherwise I think this looks good. Piping the output is simpler than having a nested command, and makes it easier to inspect things visually if you want to drop any of the trailing commands.
content/en/docs/tasks/debug/debug-cluster/troubleshoot-kubectl.md
Outdated
Show resolved
Hide resolved
Thanks and agreed regarding format change. Co-authored-by: Sean McGinnis <sean.mcginnis@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@@ -123,23 +123,23 @@ directory. The `certificate-authority` attribute contains the CA certificate and | |||
Verify the expiry of these certificates: | |||
|
|||
```shell | |||
openssl x509 -noout -dates -in $(kubectl config view --minify --output 'jsonpath={.clusters[0].cluster.certificate-authority}') | |||
kubectl config view --flatten --output 'jsonpath={.clusters[0].cluster.certificate-authority-data}' | base64 -d | openssl x509 -noout -dates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(nit)
I'd mention base64
in the page prerequisites. Also openssl
, although it should have been there anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear to me how to best advise base64 and openssl as pre-requisites. base64 is part GNU core utilities and for openssl, as you suggest, should be already there...from my perspective, if you are this far in i.e. troubleshooting, both of these requirements would be implicitly met.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi - this is my first PR - is there something else that needs to be done for it to be merged? thankls.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not clear to me how to best advise base64 and openssl as pre-requisites. base64 is part GNU core utilities and for openssl, as you suggest, should be already there...from my perspective, if you are this far in i.e. troubleshooting, both of these requirements would be implicitly met.
Mention these in the prerequisites section.
This is a little like a recipe; a recipe for a meal might say something like:
- preheat the oven to 220°C
- you will need a steamer basket and an ovenproof metal bowl at least 15cm deep
[and a list of ingredients]
Even though cooks reading that recipe probably have an oven and the utensils, listing them all is helpful. If someone wanted to do troubleshooting and they don't have openssl
, it's helpful for them to know that right from the start.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi - thanks for the suggestion. I considered putting into the prerequisites but given not all issues in this document required those tools, I thought some additional tooling in the TLS problems passage would be cleaner - however, this may not comply with the doc standard so I am also ok to move it into the prerequisites - just let us know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Even better: also update the prerequisites section of the page to mention base64
(and might as well add openssl
).
LGTM label has been added. Git tree hash: 723ea01fdd7b212ec79c339017eae7e958ac3e4e
|
Included reference to additional tools in TLS problems.
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
``` | ||
|
||
```shell | ||
openssl x509 -noout -dates -in $(kubectl config view --minify --output 'jsonpath={.users[0].user.client-certificate}') | ||
kubectl config view --flatten --output 'jsonpath={.users[0].user.client-certificate-data}'| base64 -d | openssl x509 -noout -dates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why's this better?
/retitle Fix advice about checking certificate expiry |
LGTM label has been added. Git tree hash: 147377161a91319120f6f86230412c7e026d9805
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this change @wushka00!
I'm approving the change since I find it to be technically sound, however, please could you respond to this comment by @sftim
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: divya-mohan0209 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
In this section - I found the provided commands didn't generate the desired results.
The proposed commands seem to work for me.
Validated with:
kubectl version
Client Version: v1.28.6
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.6
openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
base64 (GNU coreutils) 8.32