Fix upgrade for canal and apiserver cert

Fixes #1573
2026-05-07 09:27:38 -02:30 · 2017-08-29 19:35:27 +01:00
parent 76b72338da
commit 13d08af054
3 changed files with 11 additions and 15 deletions
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -82,10 +82,13 @@ gen_key_and_cert() {

 # Admins
 if [ -n "$MASTERS" ]; then
-    # If any host requires new certs, just regenerate all master certs
    # kube-apiserver
-    gen_key_and_cert "apiserver" "/CN=kube-apiserver"
-    cat ca.pem >> apiserver.pem
+    # Generate only if we don't have existing ca and apiserver certs
+    if ! [ -e "$SSLDIR/ca-key.pem" ] || ! [ -e "$SSLDIR/apiserver-key.pem" ]; then
+      gen_key_and_cert "apiserver" "/CN=kube-apiserver"
+      cat ca.pem >> apiserver.pem
+    fi
+    # If any host requires new certs, just regenerate scheduler and controller-manager master certs
    # kube-scheduler
    gen_key_and_cert "kube-scheduler" "/CN=system:kube-scheduler"
    # kube-controller-manager