From 3454cd2c6963b49fe0bf02728b5dc7cbde8f400c Mon Sep 17 00:00:00 2001
From: ERIK <bo.jiang@daocloud.io>
Date: Tue, 3 Jun 2025 11:44:37 +0800
Subject: [PATCH] feat: Support certificate validity period config in kubeadm
 v1beta4 (#12272)

Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
---
 roles/kubernetes/control-plane/defaults/main/main.yml       | 6 ++++++
 .../control-plane/templates/kubeadm-config.v1beta4.yaml.j2  | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 71ecfc4a9..d30a94900 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -255,3 +255,9 @@ kubeadm_image_pull_serial: true
 # can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
 # ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
 kube_asymmetric_encryption_algorithm: "RSA-2048"
+
+# certificates validity period configuration
+# non-CA certificate validity period, default 1 year (365d × 24h = 8760h)
+kube_cert_validity_period: 8760h
+# CA certificate validity period, default 10 years (365d × 24h × 10 = 87600h)
+kube_ca_cert_validity_period: 87600h
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
index ec256ad14..a157348e2 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -40,6 +40,8 @@ apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
 encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
+certificateValidityPeriod: {{ kube_cert_validity_period }}
+caCertificateValidityPeriod: {{ kube_ca_cert_validity_period }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
   external: