diff --git a/README-zh_CN.md b/README-zh_CN.md index cbb1709..3c30ec2 100644 --- a/README-zh_CN.md +++ b/README-zh_CN.md @@ -26,7 +26,7 @@ chmod 755 update-kubeadm-cert.sh **如果使用 `containerd` 作为 CRI 运行时:** -- 使用 `update-kubeadm-cert-crictl.sh` 代替 `update-kubeadm-cert.sh` +- 执行脚本时增加`--cri containerd`参数,默认为`docker`运行时 - 手动重启控制平面 Pods(必须) > 执行完此命令之后你需要重启控制面 Pods。因为动态证书重载目前还不被所有组件和证书支持,所有这项操作是必须的。 静态 Pods 是被本地 kubelet 而不是 API Server 管理, 所以 kubectl 不能用来删除或重启他们。 要重启静态 Pod 你可以临时将清单文件从 /etc/kubernetes/manifests/ 移除并等待 20 秒 (参考 KubeletConfiguration 结构 中的 fileCheckFrequency 值)。 如果 Pod 不在清单目录里,kubelet 将会终止它。 在另一个 fileCheckFrequency 周期之后你可以将文件移回去,为了组件可以完成 kubelet 将重新创建 Pod 和证书更新。 > https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal @@ -36,7 +36,7 @@ chmod 755 update-kubeadm-cert.sh **如果有多个 master 节点,在每个 master 节点都执行一次** ``` -./update-kubeadm-cert.sh all +./update-kubeadm-cert.sh all --cri docker ``` 输出类似信息 @@ -62,7 +62,7 @@ CERTIFICATE EXPIRES [2021-09-12T16:41:26.04+0800][INFO] updated /etc/kubernetes/pki/etcd/peer.conf [2021-09-12T16:41:26.07+0800][INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.conf [2021-09-12T16:41:26.11+0800][INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.conf -[2021-09-12T16:41:26.54+0800][INFO] restarted etcd +[2021-09-12T16:41:26.54+0800][INFO] restarted etcd with docker [2021-09-12T16:41:26.60+0800][INFO] updated /etc/kubernetes/pki/apiserver.crt [2021-09-12T16:41:26.64+0800][INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt [2021-09-12T16:41:26.69+0800][INFO] updated /etc/kubernetes/controller-manager.conf @@ -72,9 +72,9 @@ CERTIFICATE EXPIRES [2021-09-12T16:41:26.80+0800][INFO] copy the admin.conf to /root/.kube/config [2021-09-12T16:41:26.85+0800][INFO] updated /etc/kubernetes/kubelet.conf [2021-09-12T16:41:26.88+0800][INFO] updated /etc/kubernetes/pki/front-proxy-client.crt -[2021-09-12T16:41:28.70+0800][INFO] restarted apiserver -[2021-09-12T16:41:29.17+0800][INFO] restarted controller-manager -[2021-09-12T16:41:30.07+0800][INFO] restarted scheduler +[2021-09-12T16:41:28.70+0800][INFO] restarted apiserver with docker +[2021-09-12T16:41:29.17+0800][INFO] restarted controller-manager with docker +[2021-09-12T16:41:30.07+0800][INFO] restarted scheduler with docker [2021-09-12T16:41:30.13+0800][INFO] restarted kubelet [2021-09-12T16:41:30.14+0800][INFO] done!!! CERTIFICATE EXPIRES diff --git a/README.md b/README.md index 665b21f..60eb83b 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ chmod 755 update-kubeadm-cert.sh **If you use `containerd` as CRI runtime:** -- use `update-kubeadm-cert-crictl.sh` instead of `update-kubeadm-cert.sh` +- add the `--cri containerd` argument when executing the script. The default is `docker` runtime. - manual restart the control plane Pods (necessary) > After running the command you should restart the control plane Pods. This is required since dynamic certificate reload is currently not supported for all components and certificates. Static Pods are managed by the local kubelet and not by the API Server, thus kubectl cannot be used to delete and restart them. To restart a static Pod you can temporarily remove its manifest file from /etc/kubernetes/manifests/ and wait for 20 seconds (see the fileCheckFrequency value in KubeletConfiguration struct. The kubelet will terminate the Pod if it's no longer in the manifest directory. You can then move the file back and after another fileCheckFrequency period, the kubelet will recreate the Pod and the certificate renewal for the component can complete. > https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal @@ -36,7 +36,7 @@ Use `./update-kubeadm-cert.sh all` or `bash update-kubeadm-cert.sh all` to execu **Execute on every master node if the cluster has more than one** ``` -./update-kubeadm-cert.sh all +./update-kubeadm-cert.sh all --cri docker ``` The output should be like this: @@ -62,7 +62,7 @@ CERTIFICATE EXPIRES [2021-09-12T16:41:26.04+0800][INFO] updated /etc/kubernetes/pki/etcd/peer.conf [2021-09-12T16:41:26.07+0800][INFO] updated /etc/kubernetes/pki/etcd/healthcheck-client.conf [2021-09-12T16:41:26.11+0800][INFO] updated /etc/kubernetes/pki/apiserver-etcd-client.conf -[2021-09-12T16:41:26.54+0800][INFO] restarted etcd +[2021-09-12T16:41:26.54+0800][INFO] restarted etcd with docker [2021-09-12T16:41:26.60+0800][INFO] updated /etc/kubernetes/pki/apiserver.crt [2021-09-12T16:41:26.64+0800][INFO] updated /etc/kubernetes/pki/apiserver-kubelet-client.crt [2021-09-12T16:41:26.69+0800][INFO] updated /etc/kubernetes/controller-manager.conf @@ -72,9 +72,9 @@ CERTIFICATE EXPIRES [2021-09-12T16:41:26.80+0800][INFO] copy the admin.conf to /root/.kube/config [2021-09-12T16:41:26.85+0800][INFO] updated /etc/kubernetes/kubelet.conf [2021-09-12T16:41:26.88+0800][INFO] updated /etc/kubernetes/pki/front-proxy-client.crt -[2021-09-12T16:41:28.70+0800][INFO] restarted apiserver -[2021-09-12T16:41:29.17+0800][INFO] restarted controller-manager -[2021-09-12T16:41:30.07+0800][INFO] restarted scheduler +[2021-09-12T16:41:28.70+0800][INFO] restarted apiserver with docker +[2021-09-12T16:41:29.17+0800][INFO] restarted controller-manager with docker +[2021-09-12T16:41:30.07+0800][INFO] restarted scheduler with docker [2021-09-12T16:41:30.13+0800][INFO] restarted kubelet [2021-09-12T16:41:30.14+0800][INFO] done!!! CERTIFICATE EXPIRES diff --git a/update-kubeadm-cert-crictl.sh b/update-kubeadm-cert-crictl.sh deleted file mode 100644 index a9c7fd1..0000000 --- a/update-kubeadm-cert-crictl.sh +++ /dev/null @@ -1,422 +0,0 @@ -#!/usr/bin/env bash - -set -o errexit -set -o pipefail -# set -o xtrace - -# set output color -NC='\033[0m' -RED='\033[31m' -GREEN='\033[32m' -YELLOW='\033[33m' -BLUE='\033[34m' - -log::err() { - printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][${RED}ERROR${NC}] %b\n" "$@" -} - -log::info() { - printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][INFO] %b\n" "$@" -} - -log::warning() { - printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][${YELLOW}WARNING${NC}] \033[0m%b\n" "$@" -} - -check_file() { - if [[ ! -r ${1} ]]; then - log::err "can not find ${1}" - exit 1 - fi -} - -# get x509v3 subject alternative name from the old certificate -cert::get_subject_alt_name() { - local cert=${1}.crt - local alt_name - - check_file "${cert}" - alt_name=$(openssl x509 -text -noout -in "${cert}" | grep -A1 'Alternative' | tail -n1 | sed 's/[[:space:]]*Address//g') - printf "%s\n" "${alt_name}" -} - -# get subject from the old certificate -cert::get_subj() { - local cert=${1}.crt - local subj - - check_file "${cert}" - subj=$(openssl x509 -text -noout -in "${cert}" | grep "Subject:" | sed 's/Subject:/\//g;s/\,/\//;s/[[:space:]]//g') - printf "%s\n" "${subj}" -} - -cert::backup_file() { - local file=${1} - if [[ ! -e ${file}.old-$(date +%Y%m%d) ]]; then - cp -rp "${file}" "${file}.old-$(date +%Y%m%d)" - log::info "backup ${file} to ${file}.old-$(date +%Y%m%d)" - else - log::warning "does not backup, ${file}.old-$(date +%Y%m%d) already exists" - fi -} - -# check certificate expiration -cert::check_cert_expiration() { - local cert=${1}.crt - local cert_expires - - cert_expires=$(openssl x509 -text -noout -in "${cert}" | awk -F ": " '/Not After/{print$2}') - printf "%s\n" "${cert_expires}" -} - -# check kubeconfig expiration -cert::check_kubeconfig_expiration() { - local config=${1}.conf - local cert - local cert_expires - - cert=$(grep "client-certificate-data" "${config}" | awk '{print$2}' | base64 -d) - cert_expires=$(openssl x509 -text -noout -in <(printf "%s" "${cert}") | awk -F ": " '/Not After/{print$2}') - printf "%s\n" "${cert_expires}" -} - -# check etcd certificates expiration -cert::check_etcd_certs_expiration() { - local cert - local certs - - certs=( - "${ETCD_CERT_CA}" - "${ETCD_CERT_SERVER}" - "${ETCD_CERT_PEER}" - "${ETCD_CERT_HEALTHCHECK_CLIENT}" - "${ETCD_CERT_APISERVER_ETCD_CLIENT}" - ) - - for cert in "${certs[@]}"; do - if [[ ! -r ${cert} ]]; then - printf "%-50s%-30s\n" "${cert}.crt" "$(cert::check_cert_expiration "${cert}")" - fi - done -} - -# check master certificates expiration -cert::check_master_certs_expiration() { - local certs - local kubeconfs - local cert - local conf - - certs=( - "${CERT_CA}" - "${CERT_APISERVER}" - "${CERT_APISERVER_KUBELET_CLIENT}" - "${FRONT_PROXY_CA}" - "${FRONT_PROXY_CLIENT}" - ) - - kubeconfs=( - "${CONF_CONTROLLER_MANAGER}" - "${CONF_SCHEDULER}" - "${CONF_ADMIN}" - ) - - printf "%-50s%-30s\n" "CERTIFICATE" "EXPIRES" - - for conf in "${kubeconfs[@]}"; do - if [[ ! -r ${conf} ]]; then - printf "%-50s%-30s\n" "${conf}.config" "$(cert::check_kubeconfig_expiration "${conf}")" - fi - done - - for cert in "${certs[@]}"; do - if [[ ! -r ${cert} ]]; then - printf "%-50s%-30s\n" "${cert}.crt" "$(cert::check_cert_expiration "${cert}")" - fi - done -} - -# check all certificates expiration -cert::check_all_expiration() { - cert::check_master_certs_expiration - cert::check_etcd_certs_expiration -} - -# generate certificate whit client, server or peer -# Args: -# $1 (the name of certificate) -# $2 (the type of certificate, must be one of client, server, peer) -# $3 (the subject of certificates) -# $4 (the validity of certificates) (days) -# $5 (the name of ca) -# $6 (the x509v3 subject alternative name of certificate when the type of certificate is server or peer) -cert::gen_cert() { - local cert_name=${1} - local cert_type=${2} - local subj=${3} - local cert_days=${4} - local ca_name=${5} - local alt_name=${6} - local ca_cert=${ca_name}.crt - local ca_key=${ca_name}.key - local cert=${cert_name}.crt - local key=${cert_name}.key - local csr=${cert_name}.csr - local common_csr_conf='distinguished_name = dn\n[dn]\n[v3_ext]\nkeyUsage = critical, digitalSignature, keyEncipherment\n' - - for file in "${ca_cert}" "${ca_key}" "${cert}" "${key}"; do - check_file "${file}" - done - - case "${cert_type}" in - client) - csr_conf=$(printf "%bextendedKeyUsage = clientAuth\n" "${common_csr_conf}") - ;; - server) - csr_conf=$(printf "%bextendedKeyUsage = serverAuth\nsubjectAltName = %b\n" "${common_csr_conf}" "${alt_name}") - ;; - peer) - csr_conf=$(printf "%bextendedKeyUsage = serverAuth, clientAuth\nsubjectAltName = %b\n" "${common_csr_conf}" "${alt_name}") - ;; - *) - log::err "unknow, unsupported certs type: ${YELLOW}${cert_type}${NC}, supported type: client, server, peer" - exit 1 - ;; - esac - - # gen csr - openssl req -new -key "${key}" -subj "${subj}" -reqexts v3_ext \ - -config <(printf "%b" "${csr_conf}") \ - -out "${csr}" >/dev/null 2>&1 - # gen cert - openssl x509 -in "${csr}" -req -CA "${ca_cert}" -CAkey "${ca_key}" -CAcreateserial -extensions v3_ext \ - -extfile <(printf "%b" "${csr_conf}") \ - -days "${cert_days}" -out "${cert}" >/dev/null 2>&1 - - rm -f "${csr}" -} - -cert::update_kubeconf() { - local cert_name=${1} - local kubeconf_file=${cert_name}.conf - local cert=${cert_name}.crt - local key=${cert_name}.key - local subj - local cert_base64 - - check_file "${kubeconf_file}" - # get the key from the old kubeconf - grep "client-key-data" "${kubeconf_file}" | awk '{print$2}' | base64 -d >"${key}" - # get the old certificate from the old kubeconf - grep "client-certificate-data" "${kubeconf_file}" | awk '{print$2}' | base64 -d >"${cert}" - # get subject from the old certificate - subj=$(cert::get_subj "${cert_name}") - cert::gen_cert "${cert_name}" "client" "${subj}" "${CERT_DAYS}" "${CERT_CA}" - # get certificate base64 code - cert_base64=$(base64 -w 0 "${cert}") - - # set certificate base64 code to kubeconf - sed -i 's/client-certificate-data:.*/client-certificate-data: '"${cert_base64}"'/g' "${kubeconf_file}" - - rm -f "${cert}" - rm -f "${key}" -} - -cert::update_etcd_cert() { - local subj - local subject_alt_name - local cert - - # generate etcd server,peer certificate - # /etc/kubernetes/pki/etcd/server - # /etc/kubernetes/pki/etcd/peer - for cert in ${ETCD_CERT_SERVER} ${ETCD_CERT_PEER}; do - subj=$(cert::get_subj "${cert}") - subject_alt_name=$(cert::get_subject_alt_name "${cert}") - cert::gen_cert "${cert}" "peer" "${subj}" "${CERT_DAYS}" "${ETCD_CERT_CA}" "${subject_alt_name}" - log::info "${GREEN}updated ${BLUE}${cert}.conf${NC}" - done - - # generate etcd healthcheck-client,apiserver-etcd-client certificate - # /etc/kubernetes/pki/etcd/healthcheck-client - # /etc/kubernetes/pki/apiserver-etcd-client - for cert in ${ETCD_CERT_HEALTHCHECK_CLIENT} ${ETCD_CERT_APISERVER_ETCD_CLIENT}; do - subj=$(cert::get_subj "${cert}") - cert::gen_cert "${cert}" "client" "${subj}" "${CERT_DAYS}" "${ETCD_CERT_CA}" - log::info "${GREEN}updated ${BLUE}${cert}.conf${NC}" - done - - # restart etcd - #docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true - crictl ps | awk '/etcd-/{print$(NF-1)}' |xargs -r -I '{}' crictl stopp {} >/dev/null 2>&1 || true - log::info "restarted etcd" -} - -cert::update_master_cert() { - local subj - local subject_alt_name - local conf - - # generate apiserver server certificate - # /etc/kubernetes/pki/apiserver - subj=$(cert::get_subj "${CERT_APISERVER}") - subject_alt_name=$(cert::get_subject_alt_name "${CERT_APISERVER}") - cert::gen_cert "${CERT_APISERVER}" "server" "${subj}" "${CERT_DAYS}" "${CERT_CA}" "${subject_alt_name}" - log::info "${GREEN}updated ${BLUE}${CERT_APISERVER}.crt${NC}" - - # generate apiserver-kubelet-client certificate - # /etc/kubernetes/pki/apiserver-kubelet-client - subj=$(cert::get_subj "${CERT_APISERVER_KUBELET_CLIENT}") - cert::gen_cert "${CERT_APISERVER_KUBELET_CLIENT}" "client" "${subj}" "${CERT_DAYS}" "${CERT_CA}" - log::info "${GREEN}updated ${BLUE}${CERT_APISERVER_KUBELET_CLIENT}.crt${NC}" - - # generate kubeconf for controller-manager,scheduler and kubelet - # /etc/kubernetes/controller-manager,scheduler,admin,kubelet.conf - for conf in ${CONF_CONTROLLER_MANAGER} ${CONF_SCHEDULER} ${CONF_ADMIN} ${CONF_KUBELET}; do - if [[ ${conf##*/} == "kubelet" ]]; then - # https://github.com/kubernetes/kubeadm/issues/1753 - set +e - grep kubelet-client-current.pem /etc/kubernetes/kubelet.conf >/dev/null 2>&1 - kubelet_cert_auto_update=$? - set -e - if [[ "$kubelet_cert_auto_update" == "0" ]]; then - log::info "does not need to update kubelet.conf" - continue - fi - fi - - # update kubeconf - cert::update_kubeconf "${conf}" - log::info "${GREEN}updated ${BLUE}${conf}.conf${NC}" - - # copy admin.conf to ${HOME}/.kube/config - if [[ ${conf##*/} == "admin" ]]; then - mkdir -p "${HOME}/.kube" - local config=${HOME}/.kube/config - local config_backup - config_backup=${HOME}/.kube/config.old-$(date +%Y%m%d) - if [[ -f ${config} ]] && [[ ! -f ${config_backup} ]]; then - cp -fp "${config}" "${config_backup}" - log::info "backup ${config} to ${config_backup}" - fi - cp -fp "${conf}.conf" "${HOME}/.kube/config" - log::info "copy the admin.conf to ${HOME}/.kube/config" - fi - done - - # generate front-proxy-client certificate - # /etc/kubernetes/pki/front-proxy-client - subj=$(cert::get_subj "${FRONT_PROXY_CLIENT}") - cert::gen_cert "${FRONT_PROXY_CLIENT}" "client" "${subj}" "${CERT_DAYS}" "${FRONT_PROXY_CA}" - log::info "${GREEN}updated ${BLUE}${FRONT_PROXY_CLIENT}.crt${NC}" - - # restart apiserver, controller-manager, scheduler and kubelet - for item in "apiserver" "controller-manager" "scheduler"; do - #docker ps | awk '/k8s_kube-'${item}'/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true - crictl ps | awk '/kube-'${item}'-/{print $(NF-1)}' | xargs -r -I '{}' crictl stopp {} >/dev/null 2>&1 || true - log::info "restarted ${item}" - done - systemctl restart kubelet || true - log::info "restarted kubelet" -} - -main() { - local node_type=$1 - - CERT_DAYS=3650 - - KUBE_PATH=/etc/kubernetes - PKI_PATH=${KUBE_PATH}/pki - - # master certificates path - # apiserver - CERT_CA=${PKI_PATH}/ca - CERT_APISERVER=${PKI_PATH}/apiserver - CERT_APISERVER_KUBELET_CLIENT=${PKI_PATH}/apiserver-kubelet-client - CONF_CONTROLLER_MANAGER=${KUBE_PATH}/controller-manager - CONF_SCHEDULER=${KUBE_PATH}/scheduler - CONF_ADMIN=${KUBE_PATH}/admin - CONF_KUBELET=${KUBE_PATH}/kubelet - # front-proxy - FRONT_PROXY_CA=${PKI_PATH}/front-proxy-ca - FRONT_PROXY_CLIENT=${PKI_PATH}/front-proxy-client - - # etcd certificates path - ETCD_CERT_CA=${PKI_PATH}/etcd/ca - ETCD_CERT_SERVER=${PKI_PATH}/etcd/server - ETCD_CERT_PEER=${PKI_PATH}/etcd/peer - ETCD_CERT_HEALTHCHECK_CLIENT=${PKI_PATH}/etcd/healthcheck-client - ETCD_CERT_APISERVER_ETCD_CLIENT=${PKI_PATH}/apiserver-etcd-client - - case ${node_type} in - # etcd) - # # update etcd certificates - # cert::update_etcd_cert - # ;; - master) - # check certificates expiration - cert::check_master_certs_expiration - # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d) - cert::backup_file "${KUBE_PATH}" - # update master certificates and kubeconf - log::info "${GREEN}updating...${NC}" - cert::update_master_cert - log::info "${GREEN}done!!!${NC}" - # check certificates expiration after certificates updated - cert::check_master_certs_expiration - ;; - all) - # check certificates expiration - cert::check_all_expiration - # backup $KUBE_PATH to $KUBE_PATH.old-$(date +%Y%m%d) - cert::backup_file "${KUBE_PATH}" - # update etcd certificates - log::info "${GREEN}updating...${NC}" - cert::update_etcd_cert - # update master certificates and kubeconf - cert::update_master_cert - log::info "${GREEN}done!!!${NC}" - # check certificates expiration after certificates updated - cert::check_all_expiration - ;; - check) - # check certificates expiration - cert::check_all_expiration - ;; - *) - log::err "unknown, unsupported cert type: ${node_type}, supported type: \"all\", \"master\"" - printf "Documentation: https://github.com/yuyicai/update-kube-cert - example: - '\033[32m./update-kubeadm-cert.sh all\033[0m' update all etcd certificates, master certificates and kubeconf - /etc/kubernetes - ├── admin.conf - ├── controller-manager.conf - ├── scheduler.conf - ├── kubelet.conf - └── pki - ├── apiserver.crt - ├── apiserver-etcd-client.crt - ├── apiserver-kubelet-client.crt - ├── front-proxy-client.crt - └── etcd - ├── healthcheck-client.crt - ├── peer.crt - └── server.crt - - '\033[32m./update-kubeadm-cert.sh master\033[0m' update only master certificates and kubeconf - /etc/kubernetes - ├── admin.conf - ├── controller-manager.conf - ├── scheduler.conf - ├── kubelet.conf - └── pki - ├── apiserver.crt - ├── apiserver-kubelet-client.crt - └── front-proxy-client.crt -" - exit 1 - ;; - esac -} - -main "$@" diff --git a/update-kubeadm-cert.sh b/update-kubeadm-cert.sh index 6269573..49ee5d5 100755 --- a/update-kubeadm-cert.sh +++ b/update-kubeadm-cert.sh @@ -10,6 +10,8 @@ RED='\033[31m' GREEN='\033[32m' YELLOW='\033[33m' BLUE='\033[34m' +# set default cri +CRI="docker" log::err() { printf "[$(date +'%Y-%m-%dT%H:%M:%S.%2N%z')][${RED}ERROR${NC}] %b\n" "$@" @@ -247,8 +249,15 @@ cert::update_etcd_cert() { done # restart etcd - docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true - log::info "restarted etcd" + case $CRI in + "docker") + docker ps | awk '/k8s_etcd/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true + ;; + "containerd") + crictl ps | awk '/etcd-/{print$(NF-1)}' | xargs -r -I '{}' crictl stopp {} >/dev/null 2>&1 || true + ;; + esac + log::info "restarted etcd with ${CRI}" } cert::update_master_cert() { @@ -311,8 +320,15 @@ cert::update_master_cert() { # restart apiserver, controller-manager, scheduler and kubelet for item in "apiserver" "controller-manager" "scheduler"; do - docker ps | awk '/k8s_kube-'${item}'/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true - log::info "restarted ${item}" + case $CRI in + "docker") + docker ps | awk '/k8s_kube-'${item}'/{print$1}' | xargs -r -I '{}' docker restart {} >/dev/null 2>&1 || true + ;; + "containerd") + crictl ps | awk '/kube-'${item}'-/{print $(NF-1)}' | xargs -r -I '{}' crictl stopp {} >/dev/null 2>&1 || true + ;; + esac + log::info "restarted ${item} with ${CRI}" done systemctl restart kubelet || true log::info "restarted kubelet" @@ -321,6 +337,36 @@ cert::update_master_cert() { main() { local node_type=$1 + # read the options + ARGS=`getopt -o c: --long cri: -- "$@"` + eval set -- "$ARGS" + # extract options and their arguments into variables. + while true + do + case "$1" in + -c|--cri) + case "$2" in + "docker"|"containerd") + CRI=$2 + shift 2 + ;; + *) + echo 'Unsupported cri. Valid options are "docker", "containerd".' + exit 1 + ;; + esac + ;; + --) + shift + break + ;; + *) + echo "Invalid arguments." + exit 1 + ;; + esac + done + CERT_DAYS=3650 KUBE_PATH=/etc/kubernetes