CA certiticates auto renew schedule or playbook renew CA certificates

[baohqtekup]

What would you like to be added:
Handle root CA rotation during upgrade as described in Kubernetes docs

Why is this needed:
Kubeadm does not handle the root ca rotation, and while they have a long duration by default (10 years), those would eventually expires.

#10486 (comment)

[VannTen]

This can probably be provided by things like cert-manager, or already exists for some certs in kubespray, depending on which ones you means.
If you have an actual more precise feature request we'll see about that.

[VannTen]

/close

[k8s-ci-robot]

@VannTen: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[zbialik]

I just came across this request and think it is a valid kubespray use-case, specifically for rotating the CA that is used for issuing all the other k8s certs (admin.conf, apiserver, apiserver-kubelet-client, controller-manager.conf, etc.)

For example, kubeadm shows my cert expirations as so:

[root@controlplane01:~]# kubeadm certs check-expiration 
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Oct 28, 2025 21:44 UTC   347d            ca                      no      
apiserver                  Oct 28, 2025 21:44 UTC   347d            ca                      no      
apiserver-kubelet-client   Oct 28, 2025 21:44 UTC   347d            ca                      no      
controller-manager.conf    Oct 28, 2025 21:44 UTC   347d            ca                      no      
front-proxy-client         Oct 28, 2025 21:44 UTC   347d            front-proxy-ca          no      
scheduler.conf             Oct 28, 2025 21:44 UTC   347d            ca                      no      

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Oct 26, 2034 21:44 UTC   9y              no      
front-proxy-ca          Oct 26, 2034 21:44 UTC   9y              no 

We know every time we upgrade, kubespray will naturally rotate all the certs under the top section (as that is a feature provided by kubeadm out-the-box I believe). But it would be nice if kubespray could automatically handle the rotation of the CA itself. Kubernetes docs note how kubeadm doesn't support this and provide manual steps to rotate the CA, but I feel like automating this is within the kubespray feature-set, though I understand it may be a significant undertaking.

Thoughts? @VannTen

[VannTen]

Yeah, that would be an interesting addition, especially considering Kubernetes had it's 10-year anniversary and Kubespray isn't too far from it either. Root CA expiration for existing clusters is probably not an urgent concern (I doubt too many people still have clusters started in 2015) but it will grow in probability with time, so it's certainly worth it to handle this. I don't auto renew would work, but as part of an upgrade, that's certainly possible. The linked procedure does not seem that complicated, that would need to be translated to Ansible. Can't really say how hard it would be, except that our certificates generation right now is not super great, that's one of the many areas that needs refactoring.

[VannTen]

/triage accepted