kubernetes-sigs/kubespray

k8s-certs-renew renews certs every month

Open

#13072 opened on Mar 3, 2026

View on GitHub
 (4 comments) (0 reactions) (0 assignees)HTML (10,380 stars) (4,419 forks)batch import
Ubuntu 24help wantedkind/bug

Description

What happened?

When k8s-certs-renew is running, next_time is emtpy, causing the certs renewed directly, effectively renews the certs every month.

Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985557]: ++ systemctl show k8s-certs-renew.timer -p NextElapseUSecRealtime --value
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + next_time=
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + '[' '' == '' ']'
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + echo '## Skip expiry comparison due to fail to parse next elapse from systemd calendar,do renewal directly ##'
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: ## Skip expiry comparison due to fail to parse next elapse from systemd calendar,do renewal directly ##
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + echo '## Renewing certificates managed by kubeadm ##'
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: ## Renewing certificates managed by kubeadm ##
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + /usr/local/bin/kubeadm certs renew all

I dumped all the properties of the timer ink8s-certs-renew.sh, it seems there's no NextElapseUSecRealtime when timer is active. timer-values.txt

What did you expect to happen?

only renew certs when necessary

How can we reproduce it (as minimally and precisely as possible)?

1

OS

Ubuntu 24

Version of Ansible

all supported versions

Version of Python

all supported versions

Version of Kubespray (commit)

v2.30.0

Network plugin used

custom_cni

Full inventory with variables

1

Command used to invoke ansible

1

Output of ansible run

1

Anything else we need to know

No response

Contributor guide

Tech stack
shell
Domain
devopssecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
bash scriptingsystemd timers
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
70
Research direction
Investigate the systemd timer property `NextElapseUSecRealtime` as used in `k8s certs renew.sh`. The issue shows that this property is empty when the timer is active. Research alternative systemd properties like `NextElapseUSecMonotonic` or use `systemctl show` with different flags to get the correct next elapse time. Also consider if the script should check the timer's state (active vs inactive) before attempting to compare. The fix should be a small change to handle empty `next time` appropriately.