From b1a5f31dd518f6d2e6feb3e41128a678230cdcd6 Mon Sep 17 00:00:00 2001 From: Rohit Agarwal Date: Thu, 14 Apr 2022 14:47:09 -0700 Subject: [PATCH] Remove unnecessary step to manually update the service account secrets Playing with v1.19.16, it seems that updating `--root-ca-file` flag in the kube-controller-manager config and then restart it results in all those Secrets getting updated with the new value. --- .../tls/manual-rotation-of-ca-certificates.md | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md b/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md index bad390575d574..2de01325f974d 100644 --- a/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md +++ b/content/en/docs/tasks/tls/manual-rotation-of-ca-certificates.md @@ -51,23 +51,11 @@ Configurations with a single API server will experience unavailability while the kube-controller-manager being unable to accept a CA bundle. {{< /note >}} -1. Update all Secrets that hold service account tokens to include both old and new CA certificates. +1. Wait for the controller manager to update `ca.crt` in the service account Secrets to include both old and new CA certificates. If any Pods are started before new CA is used by API servers, the new Pods get this update and will trust both old and new CAs. - ```shell - base64_encoded_ca="$(base64 -w0 )" - - for namespace in $(kubectl get namespace --no-headers -o name | cut -d / -f 2 ); do - for token in $(kubectl get secrets --namespace "$namespace" --field-selector type=kubernetes.io/service-account-token -o name); do - kubectl get $token --namespace "$namespace" -o yaml | \ - /bin/sed "s/\(ca.crt:\).*/\1 ${base64_encoded_ca}/" | \ - kubectl apply -f - - done - done - ``` - 1. Restart all pods using in-cluster configurations (for example: kube-proxy, CoreDNS, etc) so they can use the updated certificate authority data from Secrets that link to ServiceAccounts.