@@ -21,8 +21,11 @@ import (
2121 "crypto/ecdsa"
2222 "crypto/rsa"
2323 "crypto/x509"
24+ "encoding/pem"
2425 "fmt"
26+ "io/fs"
2527 "os"
28+ "slices"
2629 "strings"
2730 "time"
2831
@@ -93,7 +96,7 @@ func CAKeyPair(config *configupload.Configuration) (crypto.Signer, *x509.Certifi
9396
9497func NewSignedKubernetesServiceTLSCert (name , namespace , domain string , caKey crypto.Signer , caCert * x509.Certificate ) (map [string ]string , error ) {
9598 serviceCommonName := strings .Join ([]string {name , namespace , "svc" }, "." )
96- serviceFQDNCommonName := strings .Join ([]string {serviceCommonName , domain , "" }, "." )
99+ serviceFQDNCommonName := strings .Join ([]string {serviceCommonName , domain }, "." )
97100
98101 altdnsNames := []string {
99102 serviceFQDNCommonName ,
@@ -140,7 +143,43 @@ func RenewAll(st *state.State) error {
140143 logger := ctx .Logger .WithField ("node" , node .PublicAddress )
141144 logger .Infoln ("Renew certificates..." )
142145
143- _ , _ , err := ctx .Runner .RunRaw ("sudo kubeadm certs renew all" )
146+ sshfs := ctx .Runner .NewFS ()
147+ apiserverCertFile , err := fs .ReadFile (sshfs , KubernetesAPIServerPath )
148+ if err != nil {
149+ return fail .SSH (err , "reading Kubernetes API server certificate" )
150+ }
151+
152+ apiserverPEM , _ := pem .Decode (apiserverCertFile )
153+ if apiserverPEM == nil {
154+ return fail .Runtime (fmt .Errorf ("PEM block is empty" ), "decoding Kubernetes API server certificate PEM" )
155+ }
156+
157+ apiserverCert , err := x509 .ParseCertificate (apiserverPEM .Bytes )
158+ if err != nil {
159+ return fail .Runtime (err , "parsing Kubernetes API server certificate" )
160+ }
161+
162+ needToRecreateAPIServerCerts := false
163+ for _ , san := range ctx .Cluster .APIEndpoint .AlternativeNames {
164+ if ! slices .Contains (apiserverCert .DNSNames , san ) {
165+ needToRecreateAPIServerCerts = true
166+ }
167+ }
168+
169+ var certsCmd strings.Builder
170+ if needToRecreateAPIServerCerts {
171+ fmt .Fprintf (& certsCmd , "sudo rm %q\n " , KubernetesAPIServerPath )
172+ kubeadmInitAllCertsCmd , serr := scripts .KubeadmCertsAll (ctx .WorkDir , node .ID , ctx .KubeadmVerboseFlag ())
173+ if serr != nil {
174+ return serr
175+ }
176+ certsCmd .WriteString (kubeadmInitAllCertsCmd )
177+ certsCmd .WriteString ("\n " )
178+ }
179+
180+ certsCmd .WriteString ("sudo kubeadm certs renew all" )
181+
182+ _ , _ , err = ctx .Runner .RunRaw (certsCmd .String ())
144183 if err != nil {
145184 return fail .SSH (err , "renewing certificates" )
146185 }
0 commit comments