Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auto renew control plane certificates #7358

Merged
merged 1 commit into from
Mar 22, 2021
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Auto renew control plane certificates
While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates

Signed-off-by: Etienne Champetier <[email protected]>
champtar committed Mar 9, 2021
commit faa5f46c9f2fe782524d0309b7e661ced786cf7f
5 changes: 3 additions & 2 deletions inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
Original file line number Diff line number Diff line change
@@ -329,5 +329,6 @@ persistent_volumes_enabled: false

## Amount of time to retain events. (default 1h0m0s)
event_ttl_duration: "1h0m0s"
## Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
force_certificate_regeneration: false

## Automatically renew K8S control plane certificates on first Monday of each month
auto_renew_certificates: false
5 changes: 3 additions & 2 deletions roles/kubernetes/control-plane/defaults/main/main.yml
Original file line number Diff line number Diff line change
@@ -194,5 +194,6 @@ secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm

## Amount of time to retain events. (default 1h0m0s)
event_ttl_duration: "1h0m0s"
## Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
force_certificate_regeneration: false

## Automatically renew K8S control plane certificates on first Monday of each month
auto_renew_certificates: false
4 changes: 2 additions & 2 deletions roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
Original file line number Diff line number Diff line change
@@ -99,7 +99,7 @@
when:
- inventory_hostname == groups['kube-master']|first
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed or force_certificate_regeneration
- apiserver_sans_check.changed

- name: kubeadm | regenerate apiserver cert 2/2
command: >-
@@ -109,7 +109,7 @@
when:
- inventory_hostname == groups['kube-master']|first
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed or force_certificate_regeneration
- apiserver_sans_check.changed

- name: kubeadm | Initialize first master
command: >-
24 changes: 24 additions & 0 deletions roles/kubernetes/control-plane/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -66,3 +66,27 @@
- name: Include kubelet client cert rotation fixes
include_tasks: kubelet-fix-client-cert-rotation.yml
when: kubelet_rotate_certificates

- name: Install script to renew K8S control plane certificates
floryut marked this conversation as resolved.
Show resolved Hide resolved
template:
src: k8s-certs-renew.sh.j2
dest: "{{ bin_dir }}/k8s-certs-renew.sh"
mode: '755'

- name: Renew K8S control plane certificates monthly 1/2
template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
with_items:
- k8s-certs-renew.service
- k8s-certs-renew.timer
register: k8s_certs_units
when: auto_renew_certificates

- name: Renew K8S control plane certificates monthly 2/2
systemd:
name: k8s-certs-renew.timer
enabled: yes
state: started
daemon-reload: "{{ k8s_certs_units is changed }}"
when: auto_renew_certificates
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[Unit]
Description=Renew K8S control plane certificates

[Service]
Type=oneshot
ExecStart={{ bin_dir }}/k8s-certs-renew.sh
23 changes: 23 additions & 0 deletions roles/kubernetes/control-plane/templates/k8s-certs-renew.sh.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/bash

echo "## Expiration before renewal ##"
{{ bin_dir }}/kubeadm certs check-expiration

echo "## Renewing certificates managed by kubeadm ##"
{{ bin_dir }}/kubeadm certs renew all

echo "## Restarting control plane pods managed by kubeadm ##"
{% if container_manager == "docker" %}
{{ docker_bin_dir }}/docker ps -af 'name=k8s_POD_(kube-apiserver|kube-controller-manager|kube-scheduler|etcd)-*' -q | /usr/bin/xargs {{ docker_bin_dir }}/docker rm -f"
{% else %}
{{ bin_dir }}/crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | /usr/bin/xargs {{ bin_dir }}/crictl rmp -f
champtar marked this conversation as resolved.
Show resolved Hide resolved
{% endif %}

echo "## Updating /root/.kube/config ##"
/usr/bin/cp {{ kube_config_dir }}/admin.conf /root/.kube/config

echo "## Waiting for apiserver to be up again ##"
until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/6443; do sleep 1; done

echo "## Expiration after renewal ##"
{{ bin_dir }}/kubeadm certs check-expiration
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[Unit]
Description=Timer to renew K8S control plane certificates

[Timer]
# First Monday of each month
OnCalendar=Mon *-*-1..7 03:{{ groups['kube-master'].index(inventory_hostname) }}0:00

[Install]
WantedBy=multi-user.target
3 changes: 3 additions & 0 deletions roles/reset/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -21,6 +21,8 @@
- containerd.service.d/http-proxy.conf
- crio.service.d/http-proxy.conf
- vault.service.d/http-proxy.conf
- k8s-certs-renew.service
- k8s-certs-renew.timer
register: services_removed
tags:
- services
@@ -292,6 +294,7 @@
- "{{ bin_dir }}/weave"
- "{{ bin_dir }}/crictl"
- "{{ bin_dir }}/netctl"
- "{{ bin_dir }}/k8s-certs-renew.sh"
- /var/lib/cni
- /etc/openvswitch
- /run/openvswitch