openstack
/
magnum
Code Issues Proposed changes

[k8s] Fix CA rotate 

Using admin.conf as the kubeconfig to get correct permissions
to run kubectl command to update pods to use the new CA certs.

Story:2008858
Task: 42379

Change-Id: I4996060dd18ef3c448d4b225caec53bf0ae0ba75
This commit is contained in:
Feilong Wang 2021-04-27 19:19:35 +12:00
parent bc6ec3ab63
commit c15be56ba2
1 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
magnum/drivers/common/templates/kubernetes/fragments/rotate-kubernetes-ca-certs-master.sh
View File

@ -7,6 +7,7 @@ set -x
set -eu -o pipefail
ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost"
KUBECONFIG="/etc/kubernetes/admin.conf"
service_account_key=$kube_service_account_key_input
service_account_private_key=$kube_service_account_private_key_input
@ -14,22 +15,22 @@ service_account_private_key=$kube_service_account_private_key_input
if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ; then
# Follow the instructions on https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for namespace in $(kubectl --kubeconfig $KUBECONFIG get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl --kubeconfig $KUBECONFIG get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig $KUBECONFIG patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for name in $(kubectl --kubeconfig $KUBECONFIG get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig $KUBECONFIG patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
done
# Annotate any Daemonsets and Deployments to trigger pod replacement in a safer rolling fashion.
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for namespace in $(kubectl --kubeconfig $KUBECONFIG get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl --kubeconfig $KUBECONFIG get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig $KUBECONFIG patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for name in $(kubectl --kubeconfig $KUBECONFIG get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig $KUBECONFIG patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
done
@ -39,7 +40,7 @@ if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ;
done
# NOTE(flwang): Re-patch the calico-node daemonset again to make sure all pods are being recreated
kubectl patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}';
kubectl --kubeconfig $KUBECONFIG patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}';
fi
echo "END: rotate CA certs on master"