TechQA.

How to extend the validity of openshift kublet-server, kublet-client certificates of all the nodes?

1.2k views Asked by At

I have deployed openshift(okd) 3.11 using : https://github.com/openshift/openshift-ansible/tree/release-3.11 I would want to extend the validity of all the certificates to 5 years or more.

I have tried set following variables in the inventory:

openshift_hosted_registry_cert_expire_days=1825
openshift_ca_cert_expire_days=1825
openshift_master_cert_expire_days=1825
etcd_ca_default_days=1825

and i have run the re-deploy certificate play referring to https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html#redeploying-all-certificates-current-ca

ansible-playbook -i openshift-ansible/playbooks/inventory.ini openshift-ansible/playbooks/redeploy-certificates.yml

After the completion of above command, i see many of the certificates getting updated to 5 years(1825 days) validity, but kublet-server, kublet-client certificates remain default as original i.e 1 year

master-228-rak.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-client-2020-11-05-22-07-35.pem
        Validity
            Not Before: Nov  5 22:03:00 2020 GMT
            Not After : Nov  5 22:03:00 2021 GMT
master-228-rak.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-server-2020-11-05-22-10-56.pem
        Validity
            Not Before: Nov  5 22:06:00 2020 GMT
            Not After : Nov  5 22:06:00 2021 GMT

node1.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-client-2020-11-05-22-10-54.pem
        Validity
            Not Before: Nov  5 22:06:00 2020 GMT
            Not After : Nov  5 22:06:00 2021 GMT
node1.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-server-2020-11-05-22-10-56.pem
        Validity
            Not Before: Nov  5 22:06:00 2020 GMT
            Not After : Nov  5 22:06:00 2021 GMT

How can i renew these certificates to have desired value as certificate validity?

ssl-certificate openshift openshift-origin openshift-3 okd
Original Q&A
1

There are 1 answers

1
Simon On BEST ANSWER

These certificates are always generated for one year and are automatically rotated. You can force redeployment by redeploying a new CA by using the -e openshift_redeploy_openshift_ca=true flag as described in the documentation:

Redeploying Node Certificates

By default, node certificates are valid for one year. OKD automatically rotates node certificates when they get close to expiring. If automatic approval is not configured, you must manually approve the certificate signing requests (CSRs).

If you need to redeploy certificates because the CA certificate was changed, you can use the playbooks/redeploy-certificates.yml playbook with the -e openshift_redeploy_openshift_ca=true flag. See Redeploying All Certificates Using the Current OpenShift Container Platform and etcd CA for details. When running this playbook, the CSRs are automatically approved.

As far as I know, since this is an automatic process, you cannot change the validity period to be different from 1 year. Make sure you are using openshift_master_bootstrap_auto_approve=true to make the renewal automatic.

Related Questions in SSL-CERTIFICATE

Related Questions in OPENSHIFT

Related Questions in OPENSHIFT-ORIGIN

Related Questions in OPENSHIFT-3

Related Questions in OKD

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions