Skip to content

Commit

Permalink
Auto renew control plane certificates (kubernetes-sigs#7358)
Browse files Browse the repository at this point in the history
While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates

Signed-off-by: Etienne Champetier <[email protected]>
  • Loading branch information
champtar authored and zexi committed Nov 9, 2022
1 parent 57d9df0 commit ef701bc
Show file tree
Hide file tree
Showing 8 changed files with 73 additions and 6 deletions.
5 changes: 3 additions & 2 deletions inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
Original file line number Diff line number Diff line change
Expand Up @@ -310,5 +310,6 @@ persistent_volumes_enabled: false

## Amount of time to retain events. (default 1h0m0s)
event_ttl_duration: "1h0m0s"
## Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
force_certificate_regeneration: false

## Automatically renew K8S control plane certificates on first Monday of each month
auto_renew_certificates: false
5 changes: 3 additions & 2 deletions roles/kubernetes/master/defaults/main/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -193,5 +193,6 @@ secrets_encryption_query: "resources[*].providers[0].{{kube_encryption_algorithm

## Amount of time to retain events. (default 1h0m0s)
event_ttl_duration: "1h0m0s"
## Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
force_certificate_regeneration: false

## Automatically renew K8S control plane certificates on first Monday of each month
auto_renew_certificates: false
4 changes: 2 additions & 2 deletions roles/kubernetes/master/tasks/kubeadm-setup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@
when:
- inventory_hostname == groups['kube-master']|first
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed or force_certificate_regeneration
- apiserver_sans_check.changed

- name: kubeadm | regenerate apiserver cert 2/2
command: >-
Expand All @@ -140,7 +140,7 @@
when:
- inventory_hostname == groups['kube-master']|first
- kubeadm_already_run.stat.exists
- apiserver_sans_check.changed or force_certificate_regeneration
- apiserver_sans_check.changed

- name: kubeadm | Initialize first master
command: >-
Expand Down
24 changes: 24 additions & 0 deletions roles/kubernetes/master/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,27 @@
- name: Include kubelet client cert rotation fixes
include_tasks: kubelet-fix-client-cert-rotation.yml
when: kubelet_rotate_certificates

- name: Install script to renew K8S control plane certificates
template:
src: k8s-certs-renew.sh.j2
dest: "{{ bin_dir }}/k8s-certs-renew.sh"
mode: '755'

- name: Renew K8S control plane certificates monthly 1/2
template:
src: "{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
with_items:
- k8s-certs-renew.service
- k8s-certs-renew.timer
register: k8s_certs_units
when: auto_renew_certificates

- name: Renew K8S control plane certificates monthly 2/2
systemd:
name: k8s-certs-renew.timer
enabled: yes
state: started
daemon-reload: "{{ k8s_certs_units is changed }}"
when: auto_renew_certificates
6 changes: 6 additions & 0 deletions roles/kubernetes/master/templates/k8s-certs-renew.service.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[Unit]
Description=Renew K8S control plane certificates

[Service]
Type=oneshot
ExecStart={{ bin_dir }}/k8s-certs-renew.sh
23 changes: 23 additions & 0 deletions roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/bin/bash

echo "## Expiration before renewal ##"
{{ bin_dir }}/kubeadm certs check-expiration

echo "## Renewing certificates managed by kubeadm ##"
{{ bin_dir }}/kubeadm certs renew all

echo "## Restarting control plane pods managed by kubeadm ##"
{% if container_manager == "docker" %}
{{ docker_bin_dir }}/docker ps -af 'name=k8s_POD_(kube-apiserver|kube-controller-manager|kube-scheduler|etcd)-*' -q | /usr/bin/xargs {{ docker_bin_dir }}/docker rm -f"
{% else %}
{{ bin_dir }}/crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | /usr/bin/xargs {{ bin_dir }}/crictl rmp -f
{% endif %}
echo "## Updating /root/.kube/config ##"
/usr/bin/cp {{ kube_config_dir }}/admin.conf /root/.kube/config

echo "## Waiting for apiserver to be up again ##"
until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/6443; do sleep 1; done

echo "## Expiration after renewal ##"
{{ bin_dir }}/kubeadm certs check-expiration
9 changes: 9 additions & 0 deletions roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[Unit]
Description=Timer to renew K8S control plane certificates

[Timer]
# First Monday of each month
OnCalendar=Mon *-*-1..7 03:{{ groups['kube-master'].index(inventory_hostname) }}0:00

[Install]
WantedBy=multi-user.target
3 changes: 3 additions & 0 deletions roles/reset/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@
- kubelet
- vault
- calico-node
- k8s-certs-renew.service
- k8s-certs-renew.timer
register: services_removed
tags:
- services
Expand Down Expand Up @@ -258,6 +260,7 @@
- "{{ bin_dir }}/weave"
- "{{ bin_dir }}/crictl"
- "{{ bin_dir }}/netctl"
- "{{ bin_dir }}/k8s-certs-renew.sh"
- /var/lib/cni
- /etc/vault
- /etc/openvswitch
Expand Down

0 comments on commit ef701bc

Please sign in to comment.