From 46eec77fc889ec88c9a496ca5ab2db85729d8b62 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Wed, 2 Feb 2022 16:50:26 -0800 Subject: [PATCH] Instructions for worker certificate renewals --- docs/04-certificate-authority.md | 6 ++--- docs/09-bootstrapping-kubernetes-workers.md | 1 + docs/13-certificate-renewal.md | 28 ++++++++++++++++++++- 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/docs/04-certificate-authority.md b/docs/04-certificate-authority.md index 2c2b2cd..9dae315 100644 --- a/docs/04-certificate-authority.md +++ b/docs/04-certificate-authority.md @@ -428,7 +428,8 @@ Copy the appropriate certificates and private keys to each worker instance: ``` for instance in worker-0 worker-1 worker-2; do - gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/ + gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem \ + kube-proxy-key.pem kube-proxy.pem ${instance}:~/ done ``` @@ -439,8 +440,7 @@ for instance in controller-0 controller-1 controller-2; do gcloud compute scp ca.pem kubernetes-key.pem kubernetes.pem \ service-account-key.pem service-account.pem \ kube-controller-manager-key.pem kube-controller-manager.pem \ - kube-proxy-key.pem kube-proxy.pem kube-scheduler-key.pem \ - kube-scheduler.pem ${instance}:~/ + kube-scheduler-key.pem kube-scheduler.pem ${instance}:~/ done ``` diff --git a/docs/09-bootstrapping-kubernetes-workers.md b/docs/09-bootstrapping-kubernetes-workers.md index 9958f88..f756dd9 100644 --- a/docs/09-bootstrapping-kubernetes-workers.md +++ b/docs/09-bootstrapping-kubernetes-workers.md @@ -244,6 +244,7 @@ EOF ``` sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig +sudo mv kube-proxy.pem kube-proxy-key.pem /var/lib/kube-proxy ``` Create the `kube-proxy-config.yaml` configuration file: diff --git a/docs/13-certificate-renewal.md b/docs/13-certificate-renewal.md index fb517c3..e37a00b 100644 --- a/docs/13-certificate-renewal.md +++ b/docs/13-certificate-renewal.md @@ -237,7 +237,7 @@ gcloud compute ssh worker-0 ## Configure Certificate Renewal for `kubelet.service` -Run: +Install the a renewal service that will restart `kubelet.service` when the certificate is renewed: ``` sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d @@ -255,4 +255,30 @@ sudo systemctl daemon-reload sudo systemctl enable --now cert-renewer@kubelet.timer ``` +## Configure Certificate Renewal for `kube-proxy.service` + +Install a renewal service that will rebuild the kubeconfig file and restart kube-proxy when the certificate is renewed: + +``` +sudo mkdir /etc/systemd/system/cert-renewer@kube-proxy.service.d +cat < Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.