Git Product home page Git Product logo

Comments (5)

champtar avatar champtar commented on May 31, 2024 1

If you think this is risky, you should run it more often, not less, but on your schedule, so you find out what fails and fix it.
Given the lack of negative feedback over the years I personally think it's safe.

from kubespray.

ErikJiang avatar ErikJiang commented on May 31, 2024

You can adjust the frequency of certificate renewal using the auto_renew_certificates_systemd_calendar parameter.

from kubespray.

Payback159 avatar Payback159 commented on May 31, 2024

Hi @cqmmm ,

I've already looked at this too. The problem is that kubeadm for the certs check-expirations command currently does not provide a good output to recognize the residual time of the certificates. You would have to parse a few values with awk, for example, and with the next output change you would have to check again and again whether the check is still valid.

I also checked and apparently kubeadm is already working on supporting other output-formats like yaml or json (this would make parsing the information easier), but as @ErikJiang already mentioned, your problem would probably be solved by configuring auto_renew_certificates_systemd_calendar.

As an example you could use * *-01,07-01 00:00:00, then the script would only run every 6 months. In my test case, the kubeadm certificates are valid for 364d. This means that it would be renewed twice as often as necessary and you are 100% sure that the certificates will not expire before the script renews them.

from kubespray.

Payback159 avatar Payback159 commented on May 31, 2024

Maybe a logic extension of the script makes sense if kubespray runs on kubeadm v1.30 (I think this also implies the Kubernetes version v1.30).

Since kubeadm apparently supports the structured outputs with v1.30 for kubeadm certs commands. kubernetes/kubernetes#123372

from kubespray.

MrFreezeex avatar MrFreezeex commented on May 31, 2024

Also note that before this option even existed, the Kubespray stance was that people should be upgrading at least once a year to stay on supported version so this was somewhat not needed. So if your use case fit that (i.e.: you didn't reduce the cert lifetime), you could still fallback to not using this option at all.

Although if you find a way to improve the existing logic feel free!

from kubespray.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.