Browse Source
Now k8s cluster owner can do CA cert rotate to re-generate CA of the cluster, service account keys and the certs of all nodes will be regenerated as well. Cluster user needs to get a new kubeconfig to access kubernetes API. This function is only supported by Fedora CoreOS driver. To test this patch with python-magnumclient, you need this patch https://review.opendev.org/#/c/724243/, otherwise, you will see an error about "not enough values to unpack", though the CA cert rotate request has been processed by Magnum server side correctly. Task: 39580 Story: 2005201 Change-Id: I4ae12f928e4f49b99732fba097371692cb35d9eechanges/03/724203/21
16 changed files with 255 additions and 17 deletions
@ -0,0 +1,45 @@
|
||||
echo "START: rotate CA certs on master" |
||||
|
||||
set +x |
||||
. /etc/sysconfig/heat-params |
||||
set -x |
||||
|
||||
set -eu -o pipefail |
||||
|
||||
ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost" |
||||
|
||||
service_account_key=$kube_service_account_key_input |
||||
service_account_private_key=$kube_service_account_private_key_input |
||||
|
||||
if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ; then |
||||
|
||||
# Follow the instructions on https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/ |
||||
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do |
||||
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do |
||||
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}'; |
||||
done |
||||
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do |
||||
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}'; |
||||
done |
||||
done |
||||
|
||||
# Annotate any Daemonsets and Deployments to trigger pod replacement in a safer rolling fashion. |
||||
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do |
||||
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do |
||||
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}'; |
||||
done |
||||
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do |
||||
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}'; |
||||
done |
||||
done |
||||
|
||||
for service in etcd kube-apiserver kube-controller-manager kube-scheduler kubelet kube-proxy; do |
||||
echo "restart service $service" |
||||
$ssh_cmd systemctl restart $service |
||||
done |
||||
|
||||
# NOTE(flwang): Re-patch the calico-node daemonset again to make sure all pods are being recreated |
||||
kubectl patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}'; |
||||
fi |
||||
|
||||
echo "END: rotate CA certs on master" |
@ -0,0 +1,22 @@
|
||||
echo "START: rotate CA certs on worker" |
||||
|
||||
set +x |
||||
. /etc/sysconfig/heat-params |
||||
set -x |
||||
|
||||
set -eu -o pipefail |
||||
|
||||
ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost" |
||||
|
||||
service_account_key=$kube_service_account_key_input |
||||
service_account_private_key=$kube_service_account_private_key_input |
||||
|
||||
if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ; then |
||||
|
||||
for service in kubelet kube-proxy; do |
||||
echo "restart service $service" |
||||
$ssh_cmd systemctl restart $service |
||||
done |
||||
fi |
||||
|
||||
echo "END: rotate CA certs on worker" |
@ -0,0 +1,8 @@
|
||||
--- |
||||
features: |
||||
- | |
||||
Kubernetes cluster owner can now do CA cert rotate to re-generate CA of |
||||
the cluster, service account keys and the certs of all nodes will |
||||
be regenerated as well. Cluster user needs to get a new kubeconfig |
||||
to access kubernetes API. This function is only supported by |
||||
Fedora CoreOS driver. |
Loading…
Reference in new issue