feat: Support certificate validity period config in kubeadm v1beta4 (#12272)

ErikJiang · web-flow · commit 3454cd2c6963 · 2025-06-02T20:44:37.000-07:00
Signed-off-by: bo.jiang &lt;bo.jiang@daocloud.io&gt;
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -255,3 +255,9 @@ kubeadm_image_pull_serial: true
 # can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
 # ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
 kube_asymmetric_encryption_algorithm: "RSA-2048"
+
+# certificates validity period configuration
+# non-CA certificate validity period, default 1 year (365d × 24h = 8760h)
+kube_cert_validity_period: 8760h
+# CA certificate validity period, default 10 years (365d × 24h × 10 = 87600h)
+kube_ca_cert_validity_period: 87600h
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -40,6 +40,8 @@ apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
 encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
+certificateValidityPeriod: {{ kube_cert_validity_period }}
+caCertificateValidityPeriod: {{ kube_ca_cert_validity_period }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
   external:
