Auto renew control plane certificates (#7358)

While at it remove force_certificate_regeneration This boolean only forced the renewal of the apiserver certs Either manually use k8s-certs-renew.sh or set auto_renew_certificates Signed-off-by: Etienne Champetier <e.champetier@ateme.com> (cherry picked from commit efa180392b) Conflicts: roles/kubernetes/master/templates/k8s-certs-renew.service.j2 roles/kubernetes/master/templates/k8s-certs-renew.sh.j2 roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
2026-05-07 09:27:38 -02:30 · 2021-03-22 14:22:48 -04:00
parent 4e52da6a35
commit b19d109a12
8 changed files with 73 additions and 6 deletions
--- a/roles/kubernetes/master/templates/k8s-certs-renew.service.j2
+++ b/roles/kubernetes/master/templates/k8s-certs-renew.service.j2
@@ -0,0 +1,6 @@
+[Unit]
+Description=Renew K8S control plane certificates
+
+[Service]
+Type=oneshot
+ExecStart={{ bin_dir }}/k8s-certs-renew.sh
--- a/roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
+++ b/roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+echo "## Expiration before renewal ##"
+{{ bin_dir }}/kubeadm certs check-expiration
+
+echo "## Renewing certificates managed by kubeadm ##"
+{{ bin_dir }}/kubeadm certs renew all
+
+echo "## Restarting control plane pods managed by kubeadm ##"
+{% if container_manager == "docker" %}
+{{ docker_bin_dir }}/docker ps -af 'name=k8s_POD_(kube-apiserver|kube-controller-manager|kube-scheduler|etcd)-*' -q | /usr/bin/xargs {{ docker_bin_dir }}/docker rm -f"
+{% else %}
+{{ bin_dir }}/crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | /usr/bin/xargs {{ bin_dir }}/crictl rmp -f
+{% endif %}
+
+echo "## Updating /root/.kube/config ##"
+/usr/bin/cp {{ kube_config_dir }}/admin.conf /root/.kube/config
+
+echo "## Waiting for apiserver to be up again ##"
+until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/6443; do sleep 1; done
+
+echo "## Expiration after renewal ##"
+{{ bin_dir }}/kubeadm certs check-expiration
--- a/roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
+++ b/roles/kubernetes/master/templates/k8s-certs-renew.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description=Timer to renew K8S control plane certificates
+
+[Timer]
+# First Monday of each month
+OnCalendar=Mon *-*-1..7 03:{{ groups['kube-master'].index(inventory_hostname) }}0:00
+
+[Install]
+WantedBy=multi-user.target