openstack
/
magnum
Code Issues Proposed changes

[k8s] Fix CA rotate 

Using admin.conf as the kubeconfig to get correct permissions
to run kubectl command to update pods to use the new CA certs.

Story:2008858
Task: 42379

Change-Id: I4996060dd18ef3c448d4b225caec53bf0ae0ba75
This commit is contained in:
Feilong Wang 2021-04-27 19:19:35 +12:00
parent bc6ec3ab63
commit ce8ac0248a
1 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
magnum/drivers/common/templates/kubernetes/fragments/rotate-kubernetes-ca-certs-master.sh
View File

@ -14,22 +14,22 @@ service_account_private_key=$kube_service_account_private_key_input
if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ; then
# Follow the instructions on https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for namespace in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig /etc/kubernetes/admin.conf patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig /etc/kubernetes/admin.conf patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
done
# Annotate any Daemonsets and Deployments to trigger pod replacement in a safer rolling fashion.
for namespace in $(kubectl get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for namespace in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get namespace -o jsonpath='{.items[*].metadata.name}'); do
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get deployments -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig /etc/kubernetes/admin.conf patch deployment -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
for name in $(kubectl get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
for name in $(kubectl --kubeconfig /etc/kubernetes/admin.conf get daemonset -n $namespace -o jsonpath='{.items[*].metadata.name}'); do
kubectl --kubeconfig /etc/kubernetes/admin.conf patch daemonset -n ${namespace} ${name} -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "1"}}}}}';
done
done
@ -39,7 +39,7 @@ if [ ! -z "$service_account_key" ] && [ ! -z "$service_account_private_key" ] ;
done
# NOTE(flwang): Re-patch the calico-node daemonset again to make sure all pods are being recreated
kubectl patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}';
kubectl --kubeconfig /etc/kubernetes/admin.conf patch daemonset -n kube-system calico-node -p '{"spec":{"template":{"metadata":{"annotations":{"ca-rotation": "2"}}}}}';
fi
echo "END: rotate CA certs on master"