kubespray/roles/kubernetes/control-plane/templates/k8s-certs-renew.sh.j2

#!/bin/bash

echo "## Check Expiration before renewal ##"

{{ bin_dir }}/kubeadm certs check-expiration

days_buffer=7 # set a time margin, because we should not renew at the last moment
next_time=$(systemctl show k8s-certs-renew.timer  -p NextElapseUSecRealtime --value)

if [ "${next_time}" == "" ]; then
	echo "## Skip expiry comparison due to fail to parse next elapse from systemd calendar,do renewal directly ##"
else
	current_time=$(date +%s)
	target_time=$(date -d "${next_time} + ${days_buffer} days" +%s) # $next_time - $days_buffer days
	expiry_threshold=$(( ${target_time} - ${current_time} ))
	expired_certs=$({{ bin_dir }}/kubeadm certs check-expiration -o jsonpath="{.certificates[?(@.residualTime<${expiry_threshold}.0)]}")
    if [ "${expired_certs}" == "" ];then
		echo "## Skip cert renew and K8S container restart, since all residualTimes are beyond threshold ##"
		exit 0
	fi
fi

echo "## Renewing certificates managed by kubeadm ##"
{{ bin_dir }}/kubeadm certs renew all

echo "## Restarting control plane pods managed by kubeadm ##"
{% if container_manager == "docker" %}
{{ docker_bin_dir }}/docker ps -af 'name=k8s_POD_(kube-apiserver|kube-controller-manager|kube-scheduler|etcd)-*' -q | /usr/bin/xargs {{ docker_bin_dir }}/docker rm -f
{% else %}
{{ bin_dir }}/crictl pods --namespace kube-system --name 'kube-scheduler-*|kube-controller-manager-*|kube-apiserver-*|etcd-*' -q | /usr/bin/xargs {{ bin_dir }}/crictl rmp -f
{% endif %}

echo "## Updating /root/.kube/config ##"
cp {{ kube_config_dir }}/admin.conf /root/.kube/config

echo "## Waiting for apiserver to be up again ##"
until printf "" 2>>/dev/null >>/dev/tcp/127.0.0.1/{{ kube_apiserver_port | default(6443) }}; do sleep 1; done

echo "## Expiration after renewal ##"
{{ bin_dir }}/kubeadm certs check-expiration