@@ -106,10 +106,32 @@ control plane nodes:
106106 $ sudo kubeadm certs renew all
107107
108108 Once the certificates have been renewed, you will need to restart the
109- Kubernetes control plane components to pick up the new certificates. You need
110- to do this on each one of your control plane nodes by running the following
109+ Kubernetes control plane components to pick up the new certificates. This
110+ includes ``kube-vip ``, which mounts ``/etc/kubernetes/admin.conf `` and will
111+ continue using the old client certificate until it restarts. You need to
112+ do this on each one of your control plane nodes by running the following
111113command one at a time on each node:
112114
113115.. code-block :: console
114116
115- $ ps auxf | egrep '(kube-(apiserver|controller-manager|scheduler)|etcd)' | awk '{ print $2 }' | xargs sudo kill
117+ $ ps auxf | egrep '(kube-(apiserver|controller-manager|scheduler|vip)|etcd)' | awk '{ print $2 }' | xargs sudo kill
118+
119+ The ``kube-prometheus-stack `` chart also stores a copy of the etcd healthcheck
120+ client certificate in a Kubernetes Secret. Refresh that Secret after renewing
121+ the certificates so Prometheus can continue scraping etcd:
122+
123+ .. code-block :: console
124+
125+ $ kubectl -n monitoring create secret generic kube-prometheus-stack-etcd-client-cert \
126+ --from-file=ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
127+ --from-file=healthcheck-client.crt=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
128+ --from-file=healthcheck-client.key=/etc/kubernetes/pki/etcd/healthcheck-client.key \
129+ --dry-run=client -o yaml | kubectl apply -f -
130+
131+ Finally, verify that all renewed certificates are in use:
132+
133+ .. code-block :: console
134+
135+ $ sudo kubeadm certs check-expiration
136+ $ kubectl get --raw='/readyz?verbose'
137+ $ kubectl -n kube-system logs kube-apiserver-$(hostname) --since=5m | grep 'certificate has expired'
0 commit comments