add an option to control k8s certs auto-renew script

Signed-off-by: 24sama <jacksama@foxmail.com>
2025-12-26 01:22:51 +00:00 · 2022-05-06 10:41:26 +08:00 · 2022-05-06 10:41:26 +08:00 · 9c74581ff2
parent 80cd6895e3
commit 9c74581ff2
8 changed files with 22 additions and 7 deletions
--- a/apis/kubekey/v1alpha2/kubernetes_types.go
+++ b/apis/kubekey/v1alpha2/kubernetes_types.go
@ -29,6 +29,7 @@ type Kubernetes struct {
 	NodeCidrMaskSize       int      `yaml:"nodeCidrMaskSize" json:"nodeCidrMaskSize,omitempty"`
 	ApiserverCertExtraSans []string `yaml:"apiserverCertExtraSans" json:"apiserverCertExtraSans,omitempty"`
 	ProxyMode              string   `yaml:"proxyMode" json:"proxyMode,omitempty"`
+	AutoRenewCerts         *bool    `yaml:"autoRenewCerts" json:"autoRenewCerts,omitempty"`
 	// +optional
 	Nodelocaldns             *bool                `yaml:"nodelocaldns" json:"nodelocaldns,omitempty"`
 	ContainerManager         string               `yaml:"containerManager" json:"containerManager,omitempty"`
@ -78,3 +79,10 @@ func (k *Kubernetes) EnableNodeFeatureDiscovery() bool {
 	}
 	return *k.NodeFeatureDiscovery.Enabled
 }
+
+func (k *Kubernetes) EnableAutoRenewCerts() bool {
+	if k.AutoRenewCerts == nil {
+		return false
+	}
+	return *k.AutoRenewCerts
+}
--- a/docs/config-example.md
+++ b/docs/config-example.md
@ -23,14 +23,16 @@ spec:
    address: ""      # The IP address of your load balancer.
    port: 6443
  system:
-    ntpServers: #  The ntp servers of chrony, set the node name in `hosts` as ntp servers if no public ntp servers access.
+    ntpServers: #  The ntp servers of chrony.
      - time1.cloud.tencent.com
      - ntp.aliyun.com
+      - node1 # Set the node name in `hosts` as ntp server if no public ntp servers access.
    timezone: "Asia/Shanghai"
  kubernetes:
    version: v1.21.5
    imageRepo: kubesphere
    clusterName: cluster.local
+    autoRenewCerts: true # Whether to install a script which can automatically renew the Kubernetes control plane certificates. [Default: false]
    masqueradeAll: false  # masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. [Default: false].
    maxPods: 110  # maxPods is the number of Pods that can run on this Kubelet. [Default: 110]
    nodeCidrMaskSize: 24  # The internal network node size allocation. This is the size allocated to each node on your network. [Default: 24]
--- a/pkg/certs/module.go
+++ b/pkg/certs/module.go
@ -127,6 +127,11 @@ func (r *RenewCertsModule) Init() {

 type AutoRenewCertsModule struct {
 	common.KubeModule
+	Skip bool
+}
+
+func (a *AutoRenewCertsModule) IsSkip() bool {
+	return a.Skip
 }

 func (a *AutoRenewCertsModule) Init() {
--- a/pkg/config/templates/cluster.go
+++ b/pkg/config/templates/cluster.go
@ -53,6 +53,7 @@ spec:
  kubernetes:
    version: {{ .Options.KubeVersion }}
    clusterName: cluster.local
+    autoRenewCerts: true
  etcd:
    type: kubekey
  network:
--- a/pkg/pipelines/add_nodes.go
+++ b/pkg/pipelines/add_nodes.go
@ -65,7 +65,7 @@ func NewAddNodesPipeline(runtime *common.KubeRuntime) error {
 		&loadbalancer.HaproxyModule{Skip: !runtime.Cluster.ControlPlaneEndpoint.IsInternalLBEnabled()},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 	}

 	p := pipeline.Pipeline{
@ -118,7 +118,7 @@ func NewK3sAddNodesPipeline(runtime *common.KubeRuntime) error {
 		&loadbalancer.K3sHaproxyModule{Skip: !runtime.Cluster.ControlPlaneEndpoint.IsInternalLBEnabled()},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 	}

 	p := pipeline.Pipeline{
--- a/pkg/pipelines/create_cluster.go
+++ b/pkg/pipelines/create_cluster.go
@ -85,7 +85,7 @@ func NewCreateClusterPipeline(runtime *common.KubeRuntime) error {
 		&network.DeployNetworkPluginModule{},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 		&kubernetes.SaveKubeConfigModule{},
 		&plugins.DeployPluginsModule{},
 		&addons.AddonsModule{},
@ -176,6 +176,7 @@ func NewK3sCreateClusterPipeline(runtime *common.KubeRuntime) error {
 		&network.DeployNetworkPluginModule{},
 		&kubernetes.ConfigureKubernetesModule{},
 		&filesystem.ChownModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 		&k3s.SaveKubeConfigModule{},
 		&addons.AddonsModule{},
 		&storage.DeployLocalVolumeModule{Skip: skipLocalStorage},
--- a/pkg/pipelines/upgrade_cluster.go
+++ b/pkg/pipelines/upgrade_cluster.go
@ -53,7 +53,7 @@ func NewUpgradeClusterPipeline(runtime *common.KubeRuntime) error {
 		&kubernetes.SetUpgradePlanModule{Step: kubernetes.ToV122},
 		&kubernetes.ProgressiveUpgradeModule{Step: kubernetes.ToV122},
 		&filesystem.ChownModule{},
-		&certs.AutoRenewCertsModule{},
+		&certs.AutoRenewCertsModule{Skip: !runtime.Cluster.Kubernetes.EnableAutoRenewCerts()},
 	}

 	p := pipeline.Pipeline{
--- a/pkg/version/kubesphere/templates/installer.go
+++ b/pkg/version/kubesphere/templates/installer.go
@ -305,12 +305,10 @@ spec:
  selector:
    matchLabels:
      app: ks-install
-      version: {{ .Tag }}
  template:
    metadata:
      labels:
        app: ks-install
-        version: {{ .Tag }}
    spec:
      serviceAccountName: ks-installer
      containers: