Home / server / Questions / 1054126
Accepted
sfgroups
Asked: 2021-02-19 05:37:18 +0800 CST

ETCD database cluster certificate renewal for Kubernets external database setup

  • 772

I have deployed 3 node external ETCD database (etcdctl version: 3.4.7) cluster for my Kubernetes v1.18.6 cluster using etcdadm tool. my certificate is expring in couple of months.

I believe kubeadm alpha certs renew all command will renew kubernetes certificates. May Know the correct steps to renew external ETCD database cluster certificate?

my cluster certificate details

# kubeadm alpha certs check-expiration 

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Jul 20, 2021 14:13 UTC   152d                                    no
apiserver                  Jul 20, 2021 14:13 UTC   152d            ca                      no
apiserver-kubelet-client   Jul 20, 2021 14:13 UTC   152d            ca                      no
controller-manager.conf    Jul 20, 2021 14:13 UTC   152d                                    no
front-proxy-client         Jul 20, 2021 14:13 UTC   152d            front-proxy-ca          no
scheduler.conf             Jul 20, 2021 14:13 UTC   152d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Apr 17, 2030 01:19 UTC   9y              no
front-proxy-ca          Apr 17, 2030 01:19 UTC   9y              no

Master node certificate details

/etc/kubernetes/pki/ca.crt,             Apr 17 01:19:52 2030 GMT
/etc/kubernetes/pki/apiserver.crt,             Jul 20 14:13:09 2021 GMT
/etc/kubernetes/pki/apiserver-kubelet-client.crt,             Jul 20 14:13:10 2021 GMT
/etc/kubernetes/pki/front-proxy-ca.crt,             Apr 17 01:19:52 2030 GMT
/etc/kubernetes/pki/front-proxy-client.crt,             Jul 20 14:13:10 2021 GMT


/etc/etcd/pki/ca.crt,             Apr 17 01:19:35 2030 GMT
/etc/etcd/pki/server.crt,             Apr 19 01:19:36 2021 GMT
/etc/etcd/pki/peer.crt,             Apr 19 01:19:36 2021 GMT
/etc/etcd/pki/etcdctl-etcd-client.crt,             Apr 19 01:19:36 2021 GMT
/etc/etcd/pki/apiserver-etcd-client.crt,             Apr 19 01:19:36 2021 GMT

Thanks SR

kubernetes etcd

1 Answers

  1. Best Answer

    I used these steps to renew the certs on kubernets cluster v1.18.6.

    1. compile the etcdadm cert branch code

      git clone -b cert https://github.com/pytimer/etcdadm.git
 cd  etcdadm
 docker run --rm -it -v "$PWD":/etcdadm  golang bash
 cd /etcdadm
 make
 cp etcdadm etcdadm-cert

    2. copy etcdadm-cert file to all three server.

    3. Renew the cert on first master

      /opt/bin/etcdadm-cert certs renew kubeadm alpha certs renew all

    4. Reboot the first master

    5. check the etcd member and kubernetes certificate expire data

    Repeated step 2 to 5 on ther master nodes

    use these commands to validate

    /opt/bin/etcdctl.sh   member list
kubeadm alpha certs check-expiration

    Thanks SR

    • 1