Remove unnecessary step to manually update the service account secrets

Playing with v1.19.16, it seems that updating `--root-ca-file` flag in the kube-controller-manager config and then restart it results in all those Secrets getting updated with the new value.
kubernetes · Aug 2, 2022 · b1a5f31 · b1a5f31
1 parent 9193053
commit b1a5f31
Showing 1 changed file with 1 addition and 13 deletions.
diff --git a/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md b/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md
@@ -51,23 +51,11 @@ Configurations with a single API server will experience unavailability while the
    kube-controller-manager being unable to accept a CA bundle.
    {{< /note >}}
 
-1. Update all Secrets that hold service account tokens to include both old and new CA certificates.
+1. Wait for the controller manager to update `ca.crt` in the service account Secrets to include both old and new CA certificates.
 
     If any Pods are started before new CA is used by API servers, the new Pods get this update and will trust both
     old and new CAs.
 
-   ```shell
-   base64_encoded_ca="$(base64 -w0 <path to file containing both old and new CAs>)"
-
-   for namespace in $(kubectl get namespace --no-headers -o name | cut -d / -f 2 ); do
-       for token in $(kubectl get secrets --namespace "$namespace" --field-selector type=kubernetes.io/service-account-token -o name); do
-           kubectl get $token --namespace "$namespace" -o yaml | \
-             /bin/sed "s/\(ca.crt:\).*/\1 ${base64_encoded_ca}/" | \
-             kubectl apply -f -
-       done
-   done
-   ```
-
 1. Restart all pods using in-cluster configurations (for example: kube-proxy, CoreDNS, etc) so they can use the
    updated certificate authority data from Secrets that link to ServiceAccounts.