如何延长所有节点的openshift kubelet-service、kubelet-client证书的有效期?

How to extend the validity of openshift kublet-server, kublet-client certificates of all the nodes?

我已经部署了 openshift(okd) 3.11 使用:https://github.com/openshift/openshift-ansible/tree/release-3.11 我想将所有证书的有效期延长至 5 年或更长时间。

我尝试在清单中设置以下变量:

openshift_hosted_registry_cert_expire_days=1825
openshift_ca_cert_expire_days=1825
openshift_master_cert_expire_days=1825
etcd_ca_default_days=1825

我有 运行 重新部署证书播放参考 https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html#redeploying-all-certificates-current-ca

ansible-playbook -i openshift-ansible/playbooks/inventory.ini openshift-ansible/playbooks/redeploy-certificates.yml

完成上述命令后,我看到许多证书的有效期已更新为 5 年(1825 天),但 kublet-server、kublet-client 证书仍保持默认状态,即 1 年

master-228-rak.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-client-2020-11-05-22-07-35.pem
        Validity
            Not Before: Nov  5 22:03:00 2020 GMT
            Not After : Nov  5 22:03:00 2021 GMT
master-228-rak.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-server-2020-11-05-22-10-56.pem
        Validity
            Not Before: Nov  5 22:06:00 2020 GMT
            Not After : Nov  5 22:06:00 2021 GMT

node1.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-client-2020-11-05-22-10-54.pem
        Validity
            Not Before: Nov  5 22:06:00 2020 GMT
            Not After : Nov  5 22:06:00 2021 GMT
node1.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-server-2020-11-05-22-10-56.pem
        Validity
            Not Before: Nov  5 22:06:00 2020 GMT
            Not After : Nov  5 22:06:00 2021 GMT

我如何续订这些证书以获得所需的证书有效期值?

这些证书始终生成一年并自动轮换。您可以通过使用 -e openshift_redeploy_openshift_ca=true 标志重新部署新的 CA 来强制重新部署,如 documentation:

中所述

Redeploying Node Certificates

By default, node certificates are valid for one year. OKD automatically rotates node certificates when they get close to expiring. If automatic approval is not configured, you must manually approve the certificate signing requests (CSRs).

If you need to redeploy certificates because the CA certificate was changed, you can use the playbooks/redeploy-certificates.yml playbook with the -e openshift_redeploy_openshift_ca=true flag. See Redeploying All Certificates Using the Current OpenShift Container Platform and etcd CA for details. When running this playbook, the CSRs are automatically approved.

据我所知,由于这是一个自动过程,您不能将有效期更改为不同于 1 年。确保您正在使用 openshift_master_bootstrap_auto_approve=true 自动续订。