By default, k8s cluster certificates generated by kubeadm have 1
year expiration. After certificates expired, k8s will not rotate
them automatically.
This commit checks the cert expiration date every day and rotates
them automatically if they expires within 90 days. After cert
renewed, all the k8s master component configurations will be updated.
An alarm will be sent to fm to notify the administrator to
reboot the controllers or renew the certs manually if the automatic
process fails.
Reviewed: https:/ /review. opendev. org/705387 /git.openstack. org/cgit/ starlingx/ config/ commit/ ?id=16f3c29c7db 3b01d48f57437f7 31c053d11f03c1
Committed: https:/
Submitter: Zuul
Branch: r/stx.2.0
commit 16f3c29c7db3b01 d48f57437f731c0 53d11f03c1
Author: Mingyuan Qi <email address hidden>
Date: Thu Oct 31 11:16:01 2019 +0800
Rotate k8s certificate automatically
By default, k8s cluster certificates generated by kubeadm have 1
year expiration. After certificates expired, k8s will not rotate
them automatically.
This commit checks the cert expiration date every day and rotates
them automatically if they expires within 90 days. After cert
renewed, all the k8s master component configurations will be updated.
An alarm will be sent to fm to notify the administrator to
reboot the controllers or renew the certs manually if the automatic
process fails.
Change-Id: I383120b8904857 bcf09ad6ca99990 0ce8eda9b95 /review. opendev. org/#/c/ 705383/ /review. opendev. org/#/c/ 705382/
Closes-Bug: 1838659
Depends-On: https:/
Depends-On: https:/
Signed-off-by: Mingyuan Qi <email address hidden>