Instructions for worker certificate renewals

pull/707/merge^2
Carl Tashian 2022-02-02 16:50:26 -08:00
parent b9bf0744bb
commit 46eec77fc8
3 changed files with 31 additions and 4 deletions

View File

@ -428,7 +428,8 @@ Copy the appropriate certificates and private keys to each worker instance:
``` ```
for instance in worker-0 worker-1 worker-2; do for instance in worker-0 worker-1 worker-2; do
gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem ${instance}:~/ gcloud compute scp ca.pem ${instance}-key.pem ${instance}.pem \
kube-proxy-key.pem kube-proxy.pem ${instance}:~/
done done
``` ```
@ -439,8 +440,7 @@ for instance in controller-0 controller-1 controller-2; do
gcloud compute scp ca.pem kubernetes-key.pem kubernetes.pem \ gcloud compute scp ca.pem kubernetes-key.pem kubernetes.pem \
service-account-key.pem service-account.pem \ service-account-key.pem service-account.pem \
kube-controller-manager-key.pem kube-controller-manager.pem \ kube-controller-manager-key.pem kube-controller-manager.pem \
kube-proxy-key.pem kube-proxy.pem kube-scheduler-key.pem \ kube-scheduler-key.pem kube-scheduler.pem ${instance}:~/
kube-scheduler.pem ${instance}:~/
done done
``` ```

View File

@ -244,6 +244,7 @@ EOF
``` ```
sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig sudo mv kube-proxy.kubeconfig /var/lib/kube-proxy/kubeconfig
sudo mv kube-proxy.pem kube-proxy-key.pem /var/lib/kube-proxy
``` ```
Create the `kube-proxy-config.yaml` configuration file: Create the `kube-proxy-config.yaml` configuration file:

View File

@ -237,7 +237,7 @@ gcloud compute ssh worker-0
## Configure Certificate Renewal for `kubelet.service` ## Configure Certificate Renewal for `kubelet.service`
Run: Install the a renewal service that will restart `kubelet.service` when the certificate is renewed:
``` ```
sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d
@ -255,4 +255,30 @@ sudo systemctl daemon-reload
sudo systemctl enable --now cert-renewer@kubelet.timer sudo systemctl enable --now cert-renewer@kubelet.timer
``` ```
## Configure Certificate Renewal for `kube-proxy.service`
Install a renewal service that will rebuild the kubeconfig file and restart kube-proxy when the certificate is renewed:
```
sudo mkdir /etc/systemd/system/cert-renewer@kube-proxy.service.d
cat <<EOF | sudo tee /etc/systemd/system/cert-renewer@kube-proxy.service.d/override.conf
[Service]
Environment=STEPPATH=/root/.step \\
CERT_LOCATION=/var/lib/kube-proxy/kube-proxy.pem
\\
KEY_LOCATION=/var/lib/kube-proxy/kube-proxy.pem
ExecStartPost=kubectl config set-credentials system:kube-proxy \\
--client-certificate=\${CERT_LOCATION} \\
--client-key=\${KEY_LOCATION} \\
--embed-certs=true \\
--kubeconfig=/var/lib/kube-proxy/kubeconfig
ExecStartPost=systemctl restart kube-proxy.service
EOF
sudo systemctl daemon-reload
sudo systemctl enable --now cert-renewer@kube-proxy.timer
```
> Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`. > Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.