2025-01-14: [ops] Rotate Certificate Authority for GKE/Kubernetes Cluster

Production Change

Change Summary

The cluster certificate authority will expire on 2025-03-31. You must rotate the cluster credentials before its expiry to prevent cluster outage. If no action is taken, Google will attempt to rotate the cluster credentials within 30 days of expiry as a last resort to keep the cluster operational. If you have already started the rotation process, please complete the rotation.

The existing Kubernetes CA in ops-gitlab-gke is going to expire on 2024-03-31. This requires manual intervention to ensure we rotate the CA without any impact/outage to the workloads.

Timing is important here, GKE automatically starts a CA rotation 30 days before it expires.

You can read more about the CA rotation process in the official GKE documentation.

Issue: production-engineering#26080 (closed)

Change Details

1. Services Impacted - ServiceKube
2. Change Technician - @pguinoiseau
3. Change Reviewer - @jcstephenson
4. Time tracking - 24 hours
5. Scheduled Date and Time (UTC in format YYYY-MM-DD HH:MM) - 2025-01-15 01:00
6. Downtime Component - GKE Cluster API Server

Set Maintenance Mode in GitLab

If your change involves scheduled maintenance, add a step to set and unset maintenance mode per our runbooks. This will make sure SLA calculations adjust for the maintenance period.

Detailed steps for the change

Change Steps - steps to take to execute the change

Estimated Time to Complete (mins) - 24 hours

• Set label changein-progress /label ~change::in-progress

• Check CA lifetime:

  gcloud container clusters describe ops-gitlab-gke --project=gitlab-ops --region=us-east1 --format="value(masterAuth.clusterCaCertificate)" | base64 --decode | openssl x509 -noout -dates

• Start the rotation (this command causes brief downtime for the cluster API server):

  gcloud container clusters update ops-gitlab-gke --project=gitlab-ops --region=us-east1 --start-credential-rotation

• Verify deployment pipelines are working by running an existing pipeline for ops cluster here.

  • Ensure it will be successfully deployed and all post-merge pipelines will be green.
  • The pipeline will still use the old IP address and CA.

• Recreate the nodes (make sure the version is the same GKE version the cluster already uses):

  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="c3d-highmem-1" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="default-n2d-3" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="generic-spot-2" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="generic-spot-3" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="generic-spot-4" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="generic-spot-5" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="mimir-ingesters-1" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="n2d-highmem-3" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="n2d-highmem-4" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="n2d-standard-1" --async
  • gcloud container clusters upgrade ops-gitlab-gke --project=gitlab-ops --location=us-east1 --cluster-version="1.31.1-gke.2105000" --node-pool="vault-6" --async

• Run a new pipeline here with ENV=ops and TF_REFRESH=true

  • Ensure the Terraform changes are applied.
  • Verify the Vault secret is updated with the new API server endpoint and credentials here.

• Recreate the vault-k8s-secrets-token secret:

  glsh kube use-cluster ops
  kubectl get secret vault-k8s-secrets-token --namespace=vault-k8s-secrets --output=json | jq 'del(.data)' | kubectl replace --namespace=vault-k8s-secrets --filename -

• Update the ServiceAccount JWT token in Vault:

  glsh kube use-cluster ops
  JWT_TOKEN="$(kubectl get secret vault-k8s-secrets-token --namespace vault-k8s-secrets --output jsonpath='{.data.token}' | base64 --decode)"
  glsh vault proxy
  vault login -method oidc
  vault kv put ci/ops-gitlab-net/gitlab-com/gl-infra/config-mgmt/vault-production/kubernetes/clusters/ops/ops-gitlab-gke service_account_jwt="$JWT_TOKEN"

• Verify the Vault secret is updated with the new service token here.

• Run a new pipeline here with ENV=vault-production

  • Ensure the Terraform changes are applied.

• Once again, verify deployment pipelines are working by running a new pipeline for ops cluster here.

  • Ensure it will be successfully deployed and all post-merge pipelines will be green.
  • The pipeline will now use the new IP address and CA.

• Complete the rotation (this command might cause a brief downtime for the cluster's API server):

  gcloud container clusters update ops-gitlab-gke --project=gitlab-ops --region=us-east1 --complete-credential-rotation

• Once again check CA lifetime and verify it is renewed:

  gcloud container clusters describe ops-gitlab-gke --project=gitlab-ops --region=us-east1 --format="value(masterAuth.clusterCaCertificate)" | base64 --decode | openssl x509 -noout -dates

• Finally, verify deployment pipelines are working one last time by running a new pipeline for ops cluster here.

  • Ensure it will be successfully deployed and all post-merge pipelines will be green.
  • The pipeline will now use the new IP address and CA.

• Post a message in #infrastructure_platforms channel and ask people to update their credentials:

  Hi team, we have successfully rotated the CA certificate for our Kubernetes cluster ops-gitlab-gke. This operation has created a new control plane with a new address and credentials. Please update your Kubernetes API clients by running the glsh kube setup command from the runbooks repo.

• Set label changecomplete /label ~change::complete

Rollback

Once we start to recreate the control plane, there is a chance of failure and if that happens, we CANNOT abort or roll back.

• If the control plane creation fails:
  • Declare a severity1 incident.
  • Engage with Google Cloud support and ask them to investigate the failure.
  • Recreate the ops-gitlab-gke cluster if needed.
• Set label changeaborted /label ~change::aborted

Monitoring

Key metrics to observe

• Metric: Metric Name
  • Location: Dashboard URL
  • What changes to this metric should prompt a rollback: Describe Changes

Change Reviewer checklist

C4 C3 C2 C1:

• Check if the following applies:
  • The scheduled day and time of execution of the change is appropriate.
  • The change plan is technically accurate.
  • The change plan includes estimated timing values based on previous testing.
  • The change plan includes a viable rollback plan.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.

C2 C1:

• Check if the following applies:
  • The complexity of the plan is appropriate for the corresponding risk of the change. (i.e. the plan contains clear details).
  • The change plan includes success measures for all steps/milestones during the execution.
  • The change adequately minimizes risk within the environment/service.
  • The performance implications of executing the change are well-understood and documented.
  • The specified metrics/monitoring dashboards provide sufficient visibility for the change.
    • If not, is it possible (or necessary) to make changes to observability platforms for added visibility?
  • The change has a primary and secondary SRE with knowledge of the details available during the change window.
  • The change window has been agreed with Release Managers in advance of the change. If the change is planned for APAC hours, this issue has an agreed pre-change approval.
  • The labels blocks deployments and/or blocks feature-flags are applied as necessary.

Change Technician checklist

• Check if all items below are complete:
  • The change plan is technically accurate.
  • This Change Issue is linked to the appropriate Issue and/or Epic
  • Change has been tested in staging and results noted in a comment on this issue.
  • A dry-run has been conducted and results noted in a comment on this issue.
  • The change execution window respects the Production Change Lock periods.
  • For C1 and C2 change issues, the change event is added to the GitLab Production calendar.
  • For C1 and C2 change issues, the SRE on-call has been informed prior to change being rolled out. (In #production channel, mention @sre-oncall and this issue and await their acknowledgement.)
  • For C1 and C2 change issues, the SRE on-call provided approval with the eoc_approved label on the issue.
  • For C1 and C2 change issues, the Infrastructure Manager provided approval with the manager_approved label on the issue. Mention @gitlab-org/saas-platforms/inframanagers in this issue to request approval and provide visibility to all infrastructure managers.
  • Release managers have been informed prior to any C1, C2, or blocks deployments change being rolled out. (In #production channel, mention @release-managers and this issue and await their acknowledgment.)
  • There are currently no active incidents that are severity1 or severity2
  • If the change involves doing maintenance on a database host, an appropriate silence targeting the host(s) should be added for the duration of the change.