Ability to use "long lasting" Kubernetes certificates #1302
Comments
rafzei
added
status/ready-for-development
type/improvement
and removed
ready for development
labels
|
Consider to backport it to 0.5.x branch |
|
As another task requires a hotfix, this one is on hold. |
|
Certificates settings in epiphany's config were refactored and extended, example: ---
kind: configuration/kubernetes-master
title: "Kubernetes Master Config"
name: default
provider: azure
specification:
advanced:
certificates:
location: /etc/kubernetes/pki
expiration_days: 800
renew: falseCases need to be tested 'at least':
# useful commands
* kubeadm alpha certs check-expiration
# certificates location - /etc/kubernetes/pki/
* openssl x509 -in apiserver.crt -text -noout
# certificates embed to config files also participate in update process
* grep 'client-certificate-data' /etc/kubernetes/controller-manager.conf | awk '{print $2}' | base64 -d | openssl x509 -text
|
|
This was referenced Sep 17, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
By design Kubernetes assumes all newly created certificates have expiration time set to 1 year. There is really no automatic way to overcome that and modify expiration time (kubernetes/kubeadm#1505 (comment)).
What can be done though is:
A combination of automatic certificate renewal (https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#automatic-certificate-renewal) and kubelet certificate rotation (https://kubernetes.io/docs/tasks/tls/certificate-rotation/) could be used (after upgrade to 1.18+).
Custom certificate authority (https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#custom-certificates) managed by ansible, where we could try ignoring the 1 year requirement (at the cost of decreased security) and set it to arbitrary value.
The text was updated successfully, but these errors were encountered: