Script to renew cluster certificates #9709
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
eks-distro-bot
added
the
size/XL
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #9709 +/- ##
==========================================
+ Coverage 69.84% 69.86% +0.01%
==========================================
Files 672 672
Lines 49810 49831 +21
==========================================
+ Hits 34791 34812 +21
Misses 13236 13236
Partials 1783 1783 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
panktishah26
force-pushed
the
script-renew-certs
branch
2 times, most recently
from
2caa5b2 to
9912a3b
Compare
|
|
||
| Use this script **if your cluster certificates are nearing expiration**. | ||
|
|
||
| If any certificate is **already expired**, follow the [manual renewal steps](https://anywhere.eks.amazonaws.com/docs/clustermgmt/security/manually-renew-certs/) instead. |
There was a problem hiding this comment.
This link would change after you moving it right? Can you see where else this link needs to change, and how the security page will look now?
|
|
||
| ## Overview | ||
|
|
||
| Use this script **if your cluster certificates are nearing expiration**. |
There was a problem hiding this comment.
Will we have a way to check this? We can use kubeadm certs check-expiration on the node to get this information, or if there is a golang api for this
|
|
||
| - Certificate renewal for etcd and control plane nodes. | ||
| - Safe backup of existing certificates and the `kubeadm-config` ConfigMap. | ||
| - Cleanup of temporary files if cetificates are renewed and cluster is healthy. |
There was a problem hiding this comment.
| - Cleanup of temporary files if cetificates are renewed and cluster is healthy. | |
| - Cleanup of temporary files if certificates are renewed and cluster is healthy. |
| - Admin machine with: | ||
| - `kubectl`, `jq`, `scp`, `ssh`, and `sudo` installed | ||
| - SSH access to all control plane and etcd nodes |
There was a problem hiding this comment.
There is a mix of punctation and not
| ### 3. Run the Script | ||
|
|
||
| ```bash | ||
| ./renew_certificates.sh <cluster-name> <ssh-user> <path-to-ssh-private-key> |
There was a problem hiding this comment.
No flags? This might make it confusing
| @@ -630,7 +630,7 @@ kubectl get nodes --no-headers -l '!node-role.kubernetes.io/control-plane' -o js | |||
| ``` | |||
|
|
|||
| ### No static pods is running in container runtime on control plane nodes | |||
| When the kubelet systemd service is running on a control plane node and you notice that no [static pods](https://kubernetes.io/docs/concepts/workloads/pods/#static-pods) are running, this could be due to a certificate issue. Check the kubelet service logs. If you see error messages like the ones below, renew the kubelet-client-current.pem certificate by following [these steps]({{< relref "../clustermgmt/security/manually-renew-certs/#kubelet" >}}): | |||
| When the kubelet systemd service is running on a control plane node and you notice that no [static pods](https://kubernetes.io/docs/concepts/workloads/pods/#static-pods) are running, this could be due to a certificate issue. Check the kubelet service logs. If you see error messages like the ones below, renew the kubelet-client-current.pem certificate by following [these steps]({{< relref "../clustermgmt/security/certificate-management/manually-renew-certs.md/#kubelet" >}}): | |||
There was a problem hiding this comment.
The .md looks wrong here, will it work?
| function renew_etcd_certs() { | ||
| cat <<EOF | ||
| # Renew certificates | ||
| sudo etcdadm join phase certificates http://eks-a-etcd-dumb-url |
| cp -r ${ETCD_CERT_DIR}/pki ${ETCD_CERT_DIR}/pki.bak_${BACKUP_DATE} | ||
| rm ${ETCD_CERT_DIR}/pki/* | ||
| cp ${ETCD_CERT_DIR}/pki.bak_${BACKUP_DATE}/ca.* ${ETCD_CERT_DIR}/pki | ||
| echo "✅ Certs backedup--" |
There was a problem hiding this comment.
| echo "✅ Certs backedup--" | |
| echo "✅ Certs backed up--" |
panktishah26
force-pushed
the
script-renew-certs
branch
from
9912a3b to
52a269c
Compare
panktishah26
force-pushed
the
script-renew-certs
branch
from
52a269c to
4409889
Compare
| echo | openssl s_client -connect ${EXTERNAL_ETCD_IP}:2379 2>/dev/null | openssl x509 -noout -dates | ||
| ``` | ||
|
|
||
| You can rotate certificates by following the steps given below. You cannot rotate the `ca` certificate because it is the root certificate. Note that the commands used for Bottlerocket nodes are different than those for Ubuntu and RHEL nodes. |
There was a problem hiding this comment.
Make this a Note or something
| ## Overview | ||
| This script automates: | ||
|
|
||
| - Certificate renewal for etcd and control plane nodes. |
There was a problem hiding this comment.
Can we just remove the punctuation all throughout for bullet points? Not sure if we do that in other sections
| @@ -0,0 +1,111 @@ | |||
| --- | |||
| title: "Manually Renew Cluster Certificates" | |||
| linkTitle: "Script To Renew Certificates" | |||
There was a problem hiding this comment.
I am curious if these instructions should just be in the README of the repo and we can just refer the readme in the official docs. But I would defer to docs writer on that
Description of changes:
The PR includes script to renew external etcd (if present) and control plane certificates for Bottlerocket, Ubuntu, RHEL OS.
Testing (if applicable):
Documentation added/planned (if applicable):
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.