Change kubeadm expire date longer
Introduction
We use kubeadm to deploy kubernetes cluster.
The default kubeadm cert have 10 years for CA and 1 years expire for cert. Here we try to modify kubeadm, so it default to 290 years for cert.
Patch
diff --git cmd/kubeadm/app/constants/constants.go cmd/kubeadm/app/constants/constants.go
index 75adf43..1279b20 100644
--- cmd/kubeadm/app/constants/constants.go
+++ cmd/kubeadm/app/constants/constants.go
@@ -44,7 +44,7 @@ const (
TempDirForKubeadm = "tmp"
// CertificateValidity defines the validity for all the signed certificates generated by kubeadm
- CertificateValidity = time.Hour * 24 * 365
+ CertificateValidity = time.Hour * 24 * 365 * 290
// CACertAndKeyBaseName defines certificate authority base name
CACertAndKeyBaseName = "ca"
diff --git staging/src/k8s.io/client-go/util/cert/cert.go staging/src/k8s.io/client-go/util/cert/cert.go
index 9fd097a..977edaf 100644
--- staging/src/k8s.io/client-go/util/cert/cert.go
+++ staging/src/k8s.io/client-go/util/cert/cert.go
@@ -63,7 +63,7 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
Organization: cfg.Organization,
},
NotBefore: now.UTC(),
- NotAfter: now.Add(duration365d * 10).UTC(),
+ NotAfter: now.Add(duration365d * 290).UTC(),
KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
BasicConstraintsValid: true,
IsCA: true,
or patch by following command, assume above content saved as file patch-date.patch
git checkout v1.17.2-beta.0
patch -p0 -i patch-date.patch
Summary
Though, we patch the date, the normal operation maybe that renew the cert every year. It’s up to you to patch it or not.