Instructions for worker certificate renewals
parent
b9bf0744bb
commit
46eec77fc8
|
@ -428,7 +428,8 @@ Copy the appropriate certificates and private keys to each worker instance:
|
||||||
|
|
||||||
```
|
```
|
||||||
for instance in worker-0 worker-1 worker-2; do
|
for instance in worker-0 worker-1 worker-2; do
|
||||||
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/
|
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem \
|
||||||
|
kube-proxy-key.pem kube-proxy.pem ${instance}:~/
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -439,8 +440,7 @@ for instance in controller-0 controller-1 controller-2; do
|
||||||
gcloud compute scp ca.pem kubernetes-key.pem kubernetes.pem \
|
gcloud compute scp ca.pem kubernetes-key.pem kubernetes.pem \
|
||||||
service-account-key.pem service-account.pem \
|
service-account-key.pem service-account.pem \
|
||||||
kube-controller-manager-key.pem kube-controller-manager.pem \
|
kube-controller-manager-key.pem kube-controller-manager.pem \
|
||||||
kube-proxy-key.pem kube-proxy.pem kube-scheduler-key.pem \
|
kube-scheduler-key.pem kube-scheduler.pem ${instance}:~/
|
||||||
kube-scheduler.pem ${instance}:~/
|
|
||||||
done
|
done
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -244,6 +244,7 @@ EOF
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
|
sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
|
||||||
|
sudo mv kube-proxy.pem kube-proxy-key.pem /var/lib/kube-proxy
|
||||||
```
|
```
|
||||||
|
|
||||||
Create the `kube-proxy-config.yaml` configuration file:
|
Create the `kube-proxy-config.yaml` configuration file:
|
||||||
|
|
|
@ -237,7 +237,7 @@ gcloud compute ssh worker-0
|
||||||
|
|
||||||
## Configure Certificate Renewal for `kubelet.service`
|
## Configure Certificate Renewal for `kubelet.service`
|
||||||
|
|
||||||
Run:
|
Install the a renewal service that will restart `kubelet.service` when the certificate is renewed:
|
||||||
|
|
||||||
```
|
```
|
||||||
sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d
|
sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d
|
||||||
|
@ -255,4 +255,30 @@ sudo systemctl daemon-reload
|
||||||
sudo systemctl enable --now cert-renewer@kubelet.timer
|
sudo systemctl enable --now cert-renewer@kubelet.timer
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Configure Certificate Renewal for `kube-proxy.service`
|
||||||
|
|
||||||
|
Install a renewal service that will rebuild the kubeconfig file and restart kube-proxy when the certificate is renewed:
|
||||||
|
|
||||||
|
```
|
||||||
|
sudo mkdir /etc/systemd/system/cert-renewer@kube-proxy.service.d
|
||||||
|
cat <<EOF | sudo tee /etc/systemd/system/cert-renewer@kube-proxy.service.d/override.conf
|
||||||
|
[Service]
|
||||||
|
Environment=STEPPATH=/root/.step \\
|
||||||
|
CERT_LOCATION=/var/lib/kube-proxy/kube-proxy.pem
|
||||||
|
\\
|
||||||
|
KEY_LOCATION=/var/lib/kube-proxy/kube-proxy.pem
|
||||||
|
|
||||||
|
ExecStartPost=kubectl config set-credentials system:kube-proxy \\
|
||||||
|
--client-certificate=\${CERT_LOCATION} \\
|
||||||
|
--client-key=\${KEY_LOCATION} \\
|
||||||
|
--embed-certs=true \\
|
||||||
|
--kubeconfig=/var/lib/kube-proxy/kubeconfig
|
||||||
|
|
||||||
|
ExecStartPost=systemctl restart kube-proxy.service
|
||||||
|
EOF
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
sudo systemctl enable --now cert-renewer@kube-proxy.timer
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
> Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.
|
> Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.
|
||||||
|
|
Loading…
Reference in New Issue