By default, k8s cluster certificates generated by kubeadm have 1
year expiration. After certificates expired, k8s will not rotate
them automatically.
This commit checks the cert expiration date every day and rotates
them automatically if they expires within 90 days. After cert
renewed, all the k8s master component configurations will be updated.
An alarm will be sent to fm to notify the administrator to
reboot the controllers or renew the certs manually if the automatic
process fails.
Reviewed: https:/ /review. opendev. org/705386 /git.openstack. org/cgit/ starlingx/ stx-puppet/ commit/ ?id=5fdd0989ffc 550ec1cfb38fdf4 ad39440de5d96e
Committed: https:/
Submitter: Zuul
Branch: r/stx.3.0
commit 5fdd0989ffc550e c1cfb38fdf4ad39 440de5d96e
Author: Mingyuan Qi <email address hidden>
Date: Thu Oct 31 11:16:01 2019 +0800
Rotate k8s certificate automatically
By default, k8s cluster certificates generated by kubeadm have 1
year expiration. After certificates expired, k8s will not rotate
them automatically.
This commit checks the cert expiration date every day and rotates
them automatically if they expires within 90 days. After cert
renewed, all the k8s master component configurations will be updated.
An alarm will be sent to fm to notify the administrator to
reboot the controllers or renew the certs manually if the automatic
process fails.
Change-Id: I383120b8904857 bcf09ad6ca99990 0ce8eda9b95 /review. opendev. org/#/c/ 705384/ /review. opendev. org/#/c/ 705385/ 2df5613ac83dcb9 a357f5a364)
Closes-Bug: 1838659
Depends-On: https:/
Depends-On: https:/
Signed-off-by: Mingyuan Qi <email address hidden>
(cherry picked from commit e86f8b90fd71c6c