certadm

module

v0.0.0-...-762e8a6 Latest Latest Go to latest Published: May 29, 2019 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/pytimer/certadm

Links

Open Source Insights

README ¶

Certadm

Certadm is a tool that renew Kubernetes cluster certificates created by kubeadm.

Kubernetes cluster created by kubeadm, the certificates expire time is one year, after expired time, cluster can't working. So we should manually renew certificates and make it effect.

This tool support renew Kubernetes cluster certificates, it's scope is limited to the local node filesystem now, but it can be integrated with higher level tools.

Support Kubeadm version

Now the tool only support v1.11.0+, and the latest kubeadm support renew command, so we can use kubeadm renew to renew certificates, the latest kubeadm version will be support.

If the Kubernetes version v1.13.0+, you can see renew certficates .

Certadm commands

certadm renew --config=xx.yaml to renew Kubernetes control-plane components certificates.

Implement workflow

Renew command workflow

backup old certificates
remove old certificates exclude CA and sa, the default certificates directory /etc/kubernetes/pki.

find /etc/kuberentes/pki/ -type f ! -name "ca.*" ! -name "sa.*" | xargs rm

remove control-plane components kubeconfig.

rm /etc/kubernetes/*.conf

create the new certificates according to config file. It will invoke kubeadm command.

kubeadm alpha phase certs all --config=xx.yaml

kubeadm alpha phase kubeconfig all --config=xx.yaml

remove kubelet certificates.

rm /var/libe/kubelet/pki/*

recreate kubectl default kubeconfig.

cp /etc/kubernetes/pki/admin.conf ~/.kube/config

restart control plane containers and kubelet service

Development

build

make build

Examples

Renew certificates and kubeconfig

kubeadm-cert.yaml content:

apiVersion: kubeadm.k8s.io/v1alpha2
kind: MasterConfiguration
kubernetesVersion: v1.11.6
apiServerCertSANs:
- "192.168.10.10"
- "k8s-1"
- "192.168.10.100"
- "cloud.kubernetes.cluster.lb"
api:
    controlPlaneEndpoint: "cloud.kubernetes.cluster.lb:6443"
etcd:
    local:
        serverCertSANs:
        - "192.168.10.10"
        - "192.168.10.100"
        - "cloud.kubernetes.cluster.lb"
        peerCertSANs:
        - "192.168.10.10"
certificatesDir: /etc/kubernetes/pki
nodeRegistration:
    name: "k8s-1"

Renew the Kubernetes certificates.

$ ./bin/certadm renew --config=kubeadm-cert.yaml
I0529 18:24:03.660050    5059 renew.go:53] [renew] Detected and using CRI socket: /var/run/dockershim.sock
[renew] Backup old Kubernetes certificates directory /etc/kubernetes/pki
[renew] Remove old Kubernetes certificates exclude CA and sa
[renew] Remove old kubeconfig file
[renew] Renew Kubernetes certificates
I0529 18:24:10.196249    5059 certs.go:81] [endpoint] WARNING: port specified in api.controlPlaneEndpoint overrides api.bindPort in the controlplane address
[certificates] Using the existing ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [k8s-1 kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local cloud.kubernetes.cluster.lb k8s-1 cloud.kubernetes.cluster.lb] and IPs [10.96.0.1 192.168.10.10 192.168.10.10 192.168.10.100]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Using the existing sa key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Using the existing etcd/ca certificate and key.
[certificates] Generated etcd/server certificate and key.
[certificates] etcd/server serving cert is signed for DNS names [k8s-1 localhost cloud.kubernetes.cluster.lb] and IPs [127.0.0.1 ::1 192.168.10.10 192.168.10.100]
[certificates] Generated etcd/peer certificate and key.
[certificates] etcd/peer serving cert is signed for DNS names [k8s-1 localhost] and IPs [192.168.10.10 127.0.0.1 ::1 192.168.10.10]
[certificates] Generated etcd/healthcheck-client certificate and key.
[certificates] Generated apiserver-etcd-client certificate and key.
[certificates] valid certificates and keys now exist in "/etc/kubernetes/pki"
[renew] Renew Kubernetes components kubeconfig
I0529 18:24:11.283982    5059 kubeconfig.go:45] [endpoint] WARNING: port specified in api.controlPlaneEndpoint overrides api.bindPort in the controlplane address
[endpoint] WARNING: port specified in api.controlPlaneEndpoint overrides api.bindPort in the controlplane address
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[renew] Remove old kubelet certificates
[renew] Copy admin.conf to $HOME/.kube/config
I0529 18:24:11.353448    5059 renew.go:168] kubernetes-manager containers: [e3694b0955bd a510bbae0087 fa9ea420be81 951b25ad0cbc]
[renew] waiting for the kubelet to boot up the control plane as Static Pods from /etc/kubernetes/manifests
I0529 18:24:23.811292    5059 renew.go:125] [renew] kubernetes-manager containers running
[renew] restarting the kubelet service
[renew] ensure the kubelet service is active

Directories ¶

Path	Synopsis
cmd
pkg
certs
constants
kubeadm
kubeadm/v1alpha2
kubeconfig
util
util/runtime

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL