Skip to content

OCPBUGS-62422: staticpod/prune: Remove tmp cert file pruning #2053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tchap wants to merge 2 commits into
base: master
Choose a base branch
from
Open

OCPBUGS-62422: staticpod/prune: Remove tmp cert file pruning #2053

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c9f261a
staticpod/prune: Remove tmp cert file pruning
tchap Nov 18, 2025
36add39
staticpod/prune: Remove certDir argument
tchap Nov 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
staticpod/prune: Remove tmp cert file pruning 
This is no longer needed as pruning happens in relevant sync looks that
actually write these certificates atomically.
  • Loading branch information
@tchap
tchap committed Nov 18, 2025
commit c9f261aeea2a4638c553780fa06826bac84f611f
47 changes: 3 additions & 44 deletions pkg/operator/staticpod/prune/cmd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,9 @@ import (
"fmt"
"os"
"path"
"path/filepath"
"slices"
"strconv"
"strings"
"time"

"github.com/davecgh/go-spew/spew"
"github.com/spf13/cobra"
Expand All @@ -21,7 +19,6 @@ type PruneOptions struct {
ProtectedRevisions []int

ResourceDir string
CertDir string
StaticPodName string
}

Expand Down Expand Up @@ -58,7 +55,8 @@ func (o *PruneOptions) AddFlags(fs *pflag.FlagSet) {
fs.IntSliceVar(&o.ProtectedRevisions, "protected-revisions", o.ProtectedRevisions, "list of revision IDs to preserve (not delete)")
fs.StringVar(&o.ResourceDir, "resource-dir", o.ResourceDir, "directory for all files supporting the static pod manifest")
fs.StringVar(&o.StaticPodName, "static-pod-name", o.StaticPodName, "name of the static pod")
fs.StringVar(&o.CertDir, "cert-dir", o.CertDir, "directory for all certs")
fs.String("cert-dir", "", "directory for all certs")
fs.MarkDeprecated("cert-dir", "certificate directory is now being pruned in relevant sync loops") //nolint:errcheck
}

func (o *PruneOptions) Validate() error {
Expand Down Expand Up @@ -112,44 +110,5 @@ func (o *PruneOptions) Run() error {
return err
}
}

// prune any temporary certificate files
// we do create temporary files to atomically "write" various certificates to disk
// usually, these files are short-lived because they are immediately renamed, the following loop removes old/unused/dangling files
//
// the temporary files have the following form:
// /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/control-plane-node-kubeconfig/kubeconfig.tmp753375784
// /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/service-network-serving-certkey/tls.key.tmp643092404
if len(o.CertDir) == 0 {
return nil
}

// If the cert dir does not exist, do nothing.
// The dir will get eventually created by an installer pod.
if _, err := os.Stat(path.Join(o.ResourceDir, o.CertDir)); os.IsNotExist(err) {
klog.Infof("Skipping %s as it does not exist", path.Join(o.ResourceDir, o.CertDir))
return nil
}

return filepath.Walk(path.Join(o.ResourceDir, o.CertDir),
func(filePath string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if info.IsDir() {
return nil
}
// info.Name() gives just a filename like tls.key or tls.key.tmp643092404
if !strings.Contains(info.Name(), ".tmp") {
return nil
}
if time.Now().Sub(info.ModTime()) > 30*time.Minute {
klog.Infof("Removing %s, the last time it was modified was %v", filePath, info.ModTime())
if err := os.RemoveAll(filePath); err != nil {
return err
}
}
return nil
},
)
return nil
}