Skip to content

Instantly share code, notes, and snippets.

@Juravenator
Created May 16, 2021 11:21
Show Gist options
  • Save Juravenator/4f97ad1bee33478f5df38152acb1065b to your computer and use it in GitHub Desktop.
Save Juravenator/4f97ad1bee33478f5df38152acb1065b to your computer and use it in GitHub Desktop.
reset all kubernetes certificates after they expired
# do not run these commands without knowing what they mean
# use these commands if you've been naughty and didn't have a reminder or alert set up to notify you about
# certificates used by kubernetes about to expire, which bricks the whole control-plane
# used on K8S 1.18
# on later K8S versions some of these commands are probably no longer alpha commands
# these commands need to be executed on all master nodes
# to find out if these commands apply to your situation
# this command will print expiry dates of all certs used by K8S components
find /etc/kubernetes/pki/ -type f -name "*.crt" -print|egrep -v 'ca.crt$'|xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
# create backups
cp -r /etc/kubernetes /etc/kubernetes.old
rm -rf /etc/kubernetes.old/tmp
# re-generate all certs
kubeadm alpha certs renew apiserver-kubelet-client
kubeadm alpha certs renew apiserver
kubeadm alpha certs renew front-proxy-client
kubeadm alpha certs renew apiserver-etcd-client
kubeadm alpha certs renew etcd-server
kubeadm alpha certs renew etcd-healthcheck-client
kubeadm alpha certs renew etcd-peer
# restart etcd
docker ps | grep etcd
docker stop <id>
# check if you still have a job
kubectl --kubeconfig /etc/kubernetes/admin.conf get nodes
# generate and print new configs if needed
# kubeadm alpha kubeconfig user --client-name kube-controller-manager
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment