Renewing Kubernetes 1.14.x cluster certificates
This topic applies only when you have Kuberenetes 1.14.x. To find the Kubernetes version, enter the following command:
kubectl version --short
The Kubernetes cluster certificates have a lifespan of one year. It is important to know when your certificate expires. To determine the expiry date, run the following command as root
user on the Kubernetes master:
find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
For example, if your certificate expires in May 1, 2021, your output will resemble the following:
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver.crt|grep After
Not After : May 1 00:25:47 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/apiserver-kubelet-client.crt|grep After
Not After : May 1 00:30:35 2021 GMT
bash -c openssl x509 -noout -text -in /etc/kubernetes/pki/front-proxy-client.crt|grep After
Not After : May 1 00:31:02 2021 GMT
You should renew before the expiry date. If the Kubernetes cluster certificate expires on the Kubernetes master, then the kubelet service will fail. Issuing a kubectl command, such as kubectel get pods or kubectl exec -it container_name bash, will result in a message similar to Unable to connect to the server: x509: certificate has expired or is not yet valid.
If your Kubernetes cluster certificate has not expired and your system is still operational, you do not need to plan for a system outage because IBM Financial Crimes Insight will remain operational during the following procedure.
Procedure
To regenerate a new certificate and update worker nodes:
- Renew the kubelet server certificates
/var/lib/kubelet/pki/kubelet.crt
by leveragingcsr
and Kubernetes master CA certificate. Thekubelet-client.pem
is automatically renewed.- Back up
/var/lib/kubelet/config.yaml
.cp /var/lib/kubelet/config.yaml /var/lib/kubelet/config.yaml.bak
- Insert the following code snippet into
/var/lib/kubelet/config.yaml
to enable rotation of the kubelet server/client certificate.serverTLSBootstrap: true FeatureGates: RotateKubeletClientCertificate: true RotateKubeletServerCertificate: true
- Run
kubectl edit cm kubelet-config-1.14 -n kube-system
, and add following code snippet underkubelet
section:serverTLSBootstrap: true FeatureGates: RotateKubeletClientCertificate: true RotateKubeletServerCertificate: true
- Back up
/etc/kubernetes/kubelet.conf
.cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.bak.new
- Use the current kubelet-client certificate in
/etc/kubernetes/kubelet.conf
.In versions of kubeadm before 1.17, there is a bug where you manually have to modify the contents of
kubelet.conf
.After
kubeadm init
completes, updatekubelet.conf
to point to the rotated kubelet client certificates, by replacingclient-certificate-data
andclient-key-data
with the following code snippet.client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem client-key: /var/lib/kubelet/pki/kubelet-client-current.pem
- Update
$HOME/.kube/config
with latestadmin.conf
./bin/cp $HOME/.kube/config $HOME/.kube/config.orig /bin/cp /etc/kubernetes/admin.conf $HOME/.kube/config export KUBECONFIG=.kube/config
- Restart kubelet
systemctl restart kubelet
to triggercsr
. - Run
kubectl get csr
to get the corresponding Kubernetes master VM’scsr
and approve thecsr
.kubectl certificate approve <csr_name>
- Run the following command to ensure that the kubelet server cert has been created successfully:
ls -ld /var/lib/kubelet/pki/kubelet-server*
The output should be similar to the following:
kubelet-server-2020-06-16-20-06-09.pem kubelet-server-current.pem -> /var/lib/kubelet/pki/kubelet-server-2020-06-16-20-06-09.pem
- Run
kubectl get csr
to get the corresponding Kubernetes master VM’scsr
and approve thecsr
.kubectl certificate approve <csr_name>
- Run the following command to ensure that the kubelet server cert has been created successfully:
ls -ld /var/lib/kubelet/pki/kubelet-server*
The output should be similar to the following:
kubelet-server-2020-06-16-20-06-09.pem kubelet-server-current.pem -> /var/lib/kubelet/pki/kubelet-server-2020-06-16-20-06-09.pem
- Back up
- For Kubernetes worker VMs, upgrade the kubelet server certificate
kubelet.crt
. Thekubelet-client.crt
is renewed automatically.- Back up
/var/lib/kubelet/config.yaml
.cp /var/lib/kubelet/config.yaml /var/lib/kubelet/config.yaml.bak
- To enable rotation of the kubelet server certificate, insert the following code snippet into
/var/lib/kubelet/config.yaml
:serverTLSBootstrap: true FeatureGates: RotateKubeletClientCertificate: true RotateKubeletServerCertificate: true
- Restart the kubelet.
systemctl restart kubelet
- Log in to the Kubernetes master VM and get the corresponding Kubernetes worker VM’s
csr
.kubectl get csr
- Approve the
csr
.kubectl certificate approve <csr_name>
- Run the following command to ensure that the kubelet server cert has been created successfully:
ls -ld /var/lib/kubelet/pki/kubelet-server*
The output should be similar to the following:
kubelet-server-2020-06-16-20-06-09.pem kubelet-server-current.pem -> /var/lib/kubelet/pki/kubelet-server-2020-06-16-20-06-09.pem
- Back up
- Stop the Kubernetes cluster:
- As the
root
user, stop all worker nodes, simultaneously or individually. If running in VMWare vSphere, use Shutdown Guest OS. Otherwise, run the following command from the terminal session:shutdown -h now
- After all the worker nodes are shut down, shut down the Kubernetes master node.
If the NFS server is on a different host than the Kubernetes master, you can shut down the Kubernetes master when you shut down the worker nodes.
- Stop the NFS server next. By default, this is located on the Kubernetes master node and will be shutdown when the Kubernetes master node host or virtual machine is powered off.
- Stop the server or virtual machine running the Docker registry last. The Docker registry is normally running on the Kubernetes Master node and will get stopped when the master node is powered off.
- As the
- Start the Kubernetes cluster.
- Start the Docker registry, normally the Docker registry is on the same node as the Kubernetes master and will get started automatically when the server or virtual machine is started that contains the Docker registry is started.
- Start the NFS server and wait two minutes after the operating system has started before proceeding to ensure that the NFS server has started. Normally the NFS server is on the Kubernetes master and the NFS Server will start automatically when the server or virtual machine is started that contains the NFS Server.
- If not already running, start the Kubernetes master and all worker nodes at the same time. If the Kubernetes master was already running, start all worker nodes at the same time or start the worker nodes individually in rapid succession.
- Run the following commands after all VMs up and running, to check the health of the system:
kubectl get pods kubectl get nodes
On the Kubernetes master, run the following command:
run "echo | openssl s_client -showcerts -connect 127.0.0.1:6443 -servername api 2>/dev/null | openssl x509 -noout -enddate"
Log in to the FCI application.