-
Notifications
You must be signed in to change notification settings - Fork 253
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need to have a way to update certificate authority for RDS automatically #2044
Comments
some investigations First of all if I omit field The source manifest: apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
name: octagon
namespace: infra-production
spec:
copyTagsToSnapshot: true
enableCloudwatchLogsExports:
- audit
- error
- general
- slowquery
performanceInsightsEnabled: false
deletionProtection: true
enableIAMDatabaseAuthentication: true
allocatedStorage: 20
maxAllocatedStorage: 40
dbInstanceClass: db.r5.large
dbInstanceIdentifier: octagon
engine: mysql
engineVersion: "5.7"
masterUsername: "root"
masterUserPassword:
namespace: infra-production
name: "dragoncoin-password"
key: password
dbSubnetGroupRef:
from:
name: rds-subnet
publiclyAccessible: false
vpcSecurityGroupRefs:
- from:
name: limit-rds-to-subnet
monitoringInterval: 5
monitoringRoleARN: "arn:aws:iam::966321756598:role/rds-enhanced-monitoring-role" the target object in k8s api: apiVersion: rds.services.k8s.aws/v1alpha1
kind: DBInstance
metadata:
annotations:
rds.services.k8s.aws/last-applied-secret-reference: infra-production/dragoncoin-password.password
name: dbserver-8
generation: 24
namespace: infra-production
finalizers:
- finalizers.rds.services.k8s.aws/DBInstance
labels:
kustomize.toolkit.fluxcd.io/name: infra-management
kustomize.toolkit.fluxcd.io/namespace: flux-system
spec:
engine: mysql
preferredMaintenanceWindow: 'sat:23:25-sat:23:55'
caCertificateIdentifier: rds-ca-2019
enableIAMDatabaseAuthentication: true
dbInstanceClass: db.t4g.micro
storageThroughput: 0
deletionProtection: true
masterUserPassword:
key: password
name: dragoncoin-password
namespace: infra-production
licenseModel: general-public-license
storageEncrypted: false
autoMinorVersionUpgrade: true
publiclyAccessible: false
monitoringInterval: 5
copyTagsToSnapshot: true
dbSubnetGroupRef:
from:
name: rds-subnet
multiAZ: false
enableCloudwatchLogsExports:
- audit
- error
- general
- slowquery
preferredBackupWindow: '03:28-03:58'
allocatedStorage: 20
storageType: gp2
vpcSecurityGroupRefs:
- from:
name: limit-rds-to-subnet
engineVersion: '8.0'
performanceInsightsEnabled: false
maxAllocatedStorage: 40
masterUsername: root
dbInstanceIdentifier: dbserver-8
backupRetentionPeriod: 1
monitoringRoleARN: 'arn:aws:iam::966321756598:role/rds-enhanced-monitoring-role' I omitted the meaningless fields. We can see that Now I want to change the rds. Let's try:
I am getting in the status:
O.k. I am stupid and forget that the CA names could be from a specific list. I found it in Amazon doc here: So we have the next options:
I changed the value to the proper one ( So the conclusions:
|
Issues go stale after 180d of inactivity. |
/remove-lifecycle stale |
Good day!
I am facing the issue that my RDS instances are running on old CA bundles. I know this because I am getting the next message in the Amazon Console:
As a DevOps engineer I want to have a way to re-roll ca bundles for my instances in semi-automatic way. Like a separate field with the current bundle version which I could change or some well documented process which DOES NOT involve manual actions in Amazon Console.
The text was updated successfully, but these errors were encountered: