I have deployed openshift(okd) 3.11 using : https://github.com/openshift/openshift-ansible/tree/release-3.11 I would want to extend the validity of all the certificates to 5 years or more.
I have tried set following variables in the inventory:
openshift_hosted_registry_cert_expire_days=1825
openshift_ca_cert_expire_days=1825
openshift_master_cert_expire_days=1825
etcd_ca_default_days=1825
and i have run the re-deploy certificate play referring to https://docs.openshift.com/container-platform/3.11/install_config/redeploying_certificates.html#redeploying-all-certificates-current-ca
ansible-playbook -i openshift-ansible/playbooks/inventory.ini openshift-ansible/playbooks/redeploy-certificates.yml
After the completion of above command, i see many of the certificates getting updated to 5 years(1825 days) validity, but kublet-server, kublet-client certificates remain default as original i.e 1 year
master-228-rak.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-client-2020-11-05-22-07-35.pem
Validity
Not Before: Nov 5 22:03:00 2020 GMT
Not After : Nov 5 22:03:00 2021 GMT
master-228-rak.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-server-2020-11-05-22-10-56.pem
Validity
Not Before: Nov 5 22:06:00 2020 GMT
Not After : Nov 5 22:06:00 2021 GMT
node1.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-client-2020-11-05-22-10-54.pem
Validity
Not Before: Nov 5 22:06:00 2020 GMT
Not After : Nov 5 22:06:00 2021 GMT
node1.167.254.xx.xxx.nip.io - /etc/origin/node/certificates/kubelet-server-2020-11-05-22-10-56.pem
Validity
Not Before: Nov 5 22:06:00 2020 GMT
Not After : Nov 5 22:06:00 2021 GMT
How can i renew these certificates to have desired value as certificate validity?
These certificates are always generated for one year and are automatically rotated. You can force redeployment by redeploying a new CA by using the -e openshift_redeploy_openshift_ca=true flag as described in the documentation:
Redeploying Node Certificates
By default, node certificates are valid for one year. OKD automatically rotates node certificates when they get close to expiring. If automatic approval is not configured, you must manually approve the certificate signing requests (CSRs).
If you need to redeploy certificates because the CA certificate was changed, you can use the
playbooks/redeploy-certificates.ymlplaybook with the-e openshift_redeploy_openshift_ca=trueflag. See Redeploying All Certificates Using the Current OpenShift Container Platform and etcd CA for details. When running this playbook, the CSRs are automatically approved.
As far as I know, since this is an automatic process, you cannot change the validity period to be different from 1 year. Make sure you are using openshift_master_bootstrap_auto_approve=true to make the renewal automatic.