[k8s] Fix CA rotate

openstacker · openstacker · commit cdbe26c452f7 · 2021-08-03T18:26:43.000Z
Using admin.conf as the kubeconfig to get correct permissions
to run kubectl command to update pods to use the new CA certs.
Besides, now we need to create client certs on master nodes
as well.

Story:2008858
Task: 42379

Change-Id: I4996060dd18ef3c448d4b225caec53bf0ae0ba75
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/rotate-kubernetes-ca-certs-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/rotate-kubernetes-ca-certs-master.sh
@@ -7,6 +7,7 @@ set -x
 set -eu -o pipefail
 
 ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost"
+export KUBECONFIG="/etc/kubernetes/admin.conf"
 
 service_account_key=$kube_service_account_key_input
 service_account_private_key=$kube_service_account_private_key_input
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@@ -1067,6 +1067,7 @@ resources:
             - "#!/bin/bash"
             - get_file: ../../common/templates/kubernetes/fragments/upgrade-kubernetes.sh
             - get_file: ../../common/templates/kubernetes/fragments/make-cert.sh
+            - get_file: ../../common/templates/kubernetes/fragments/make-cert-client.sh
             - get_file: ../../common/templates/kubernetes/fragments/rotate-kubernetes-ca-certs-master.sh
 
   upgrade_kubernetes_deployment:
