Rotate k8s certificate automatically

By default, k8s cluster certificates generated by kubeadm have 1 year expiration. After certificates expired, k8s will not rotate them automatically. This commit checks the cert expiration date every day and rotates them automatically if they expires within 90 days. After cert renewed, all the k8s master component configurations will be updated. An alarm will be sent to fm to notify the administrator to reboot the controllers or renew the certs manually if the automatic process fails. Change-Id: I383120b8904857bcf09ad6ca999900ce8eda9b95 Closes-Bug: 1838659 Depends-On: https://review.opendev.org/#/c/696224/ Depends-On: https://review.opendev.org/#/c/698624/ Signed-off-by: Mingyuan Qi <mingyuan.qi@intel.com>
2019-10-31 11:16:01 +08:00
parent 04478ab209
commit e86f8b90fd
1 changed files with 10 additions and 0 deletions
--- a/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
+++ b/puppet-manifests/src/modules/platform/manifests/kubernetes.pp
@@ -347,6 +347,16 @@ class platform::kubernetes::master::init
      ensure => present,
    }
  }
+
+  # Run kube-cert-rotation daily
+  cron { 'kube-cert-rotation':
+    ensure      => 'present',
+    command     => '/usr/bin/kube-cert-rotation.sh',
+    environment => 'PATH=/bin:/usr/bin:/usr/sbin',
+    minute      => '10',
+    hour        => '*/24',
+    user        => 'root',
+  }
 }

 class platform::kubernetes::master