Created
May 16, 2021 11:21
-
-
Save Juravenator/4f97ad1bee33478f5df38152acb1065b to your computer and use it in GitHub Desktop.
reset all kubernetes certificates after they expired
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# do not run these commands without knowing what they mean | |
# use these commands if you've been naughty and didn't have a reminder or alert set up to notify you about | |
# certificates used by kubernetes about to expire, which bricks the whole control-plane | |
# used on K8S 1.18 | |
# on later K8S versions some of these commands are probably no longer alpha commands | |
# these commands need to be executed on all master nodes | |
# to find out if these commands apply to your situation | |
# this command will print expiry dates of all certs used by K8S components | |
find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After' | |
# create backups | |
cp -r /etc/kubernetes /etc/kubernetes.old | |
rm -rf /etc/kubernetes.old/tmp | |
# re-generate all certs | |
kubeadm alpha certs renew apiserver-kubelet-client | |
kubeadm alpha certs renew apiserver | |
kubeadm alpha certs renew front-proxy-client | |
kubeadm alpha certs renew apiserver-etcd-client | |
kubeadm alpha certs renew etcd-server | |
kubeadm alpha certs renew etcd-healthcheck-client | |
kubeadm alpha certs renew etcd-peer | |
# restart etcd | |
docker ps | grep etcd | |
docker stop <id> | |
# check if you still have a job | |
kubectl --kubeconfig /etc/kubernetes/admin.conf get nodes | |
# generate and print new configs if needed | |
# kubeadm alpha kubeconfig user --client-name kube-controller-manager |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment