feat: Support certificate validity period config in kubeadm v1beta4 (#12272)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2025-12-14 13:54:37 +03:00 · 2025-06-03 11:44:37 +08:00
parent c7c3d2ba95
commit 3454cd2c69
2 changed files with 8 additions and 0 deletions
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -255,3 +255,9 @@ kubeadm_image_pull_serial: true
 # can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
 # ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
 kube_asymmetric_encryption_algorithm: "RSA-2048"
+
+# certificates validity period configuration
+# non-CA certificate validity period, default 1 year (365d × 24h = 8760h)
+kube_cert_validity_period: 8760h
+# CA certificate validity period, default 10 years (365d × 24h × 10 = 87600h)
+kube_ca_cert_validity_period: 87600h
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -40,6 +40,8 @@ apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
 encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
+certificateValidityPeriod: {{ kube_cert_validity_period }}
+caCertificateValidityPeriod: {{ kube_ca_cert_validity_period }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
  external: