[k8s] Fix CA rotate
Using admin.conf as the kubeconfig to get correct permissions to run kubectl command to update pods to use the new CA certs. Story:2008858 Task: 42379 Change-Id: I4996060dd18ef3c448d4b225caec53bf0ae0ba75
This commit is contained in:
parent
bc6ec3ab63
commit
ce8ac0248a
|
@ -14,22 +14,22 @@ service_account_private_key=$kube_service_account_private_key_input
|
|||
if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ; then
|
||||
|
||||
# Follow the instructions on https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/
|
||||
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
for namespace in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl --kubeconfig /etc/kubernetes/admin.conf patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
done
|
||||
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl --kubeconfig /etc/kubernetes/admin.conf patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
done
|
||||
done
|
||||
|
||||
# Annotate any Daemonsets and Deployments to trigger pod replacement in a safer rolling fashion.
|
||||
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
for namespace in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl --kubeconfig /etc/kubernetes/admin.conf patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
done
|
||||
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
|
||||
kubectl --kubeconfig /etc/kubernetes/admin.conf patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
|
||||
done
|
||||
done
|
||||
|
||||
|
@ -39,7 +39,7 @@ if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ;
|
|||
done
|
||||
|
||||
# NOTE(flwang): Re-patch the calico-node daemonset again to make sure all pods are being recreated
|
||||
kubectl patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}';
|
||||
kubectl --kubeconfig /etc/kubernetes/admin.conf patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}';
|
||||
fi
|
||||
|
||||
echo "END: rotate CA certs on master"
|
||||
|
|
Loading…
Reference in New Issue