k8s-certs-renew renews certs every month

[lazybetrayer]

What happened?

When k8s-certs-renew is running, next_time is emtpy, causing the certs renewed directly, effectively renews the certs every month.

Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985557]: ++ systemctl show k8s-certs-renew.timer -p NextElapseUSecRealtime --value
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + next_time=
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + '[' '' == '' ']'
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + echo '## Skip expiry comparison due to fail to parse next elapse from systemd calendar,do renewal directly ##'
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: ## Skip expiry comparison due to fail to parse next elapse from systemd calendar,do renewal directly ##
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + echo '## Renewing certificates managed by kubeadm ##'
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: ## Renewing certificates managed by kubeadm ##
Mar 03 10:13:11 master1 k8s-certs-renew.sh[1985529]: + /usr/local/bin/kubeadm certs renew all

I dumped all the properties of the timer ink8s-certs-renew.sh, it seems there's no NextElapseUSecRealtime when timer is active.
timer-values.txt

What did you expect to happen?

only renew certs when necessary

How can we reproduce it (as minimally and precisely as possible)?

1

OS

Ubuntu 24

Version of Ansible

all supported versions

Version of Python

all supported versions

Version of Kubespray (commit)

v2.30.0

Network plugin used

custom_cni

Full inventory with variables

1

Command used to invoke ansible

1

Output of ansible run

1

Anything else we need to know

No response

[lazybetrayer]

#12875 (comment)
Another error as described here, also causes problems for master nodes except the first one.

[zhenliangliang]

@lazybetrayer
[release-2.29] k8s-certs-renew: fix broken script #12881 "This version still does not resolve the issue of certificates being forcibly rotated every month. This is due to the underlying state logic of the timer: when the Timer triggers the Service to start executing, the Timer considers that the 'current cycle is not yet finished', thereby clearing the current next scheduled time (setting it to an empty value). It is only after the Service completes execution and exits that it recalculates and sets the next scheduled time.

Switching to systemd-analyze calendar as the time calculation engine provides the perfect and most robust solution. It completely bypasses the complexities of the Timer's lifecycle and directly calculates the future time by relying purely on the calendar rules. I have modified the k8s-certs-renew.sh script based on this approach:"
Original content：
#next_time=$(systemctl show k8s-certs-renew.timer -p NextElapseUSecRealtime --value)
Modified content：
next_time=$(LANG=C systemd-analyze calendar "$calendar" | grep "Next elapse:" | sed 's/.*Next elapse: //')
Execute the scheduled task again：
Mar 6 14:16:45 omt-k8m001 k8s-certs-renew.sh[94446]: W0306 14:16:45.402363 94446 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
Mar 6 14:16:45 omt-k8m001 k8s-certs-renew.sh[94432]: ## Skip cert renew and K8S container restart, since all residualTimes are beyond threshold ##