Skip to content

Commit 0c0fe1d

Browse files
[Backport stable/zed] docs(maintenance): update certificate renewal steps (#4064)
Signed-off-by: Guilherme Steinmuller <gsteinmuller@vexxhost.com> Signed-off-by: Mohammed Naser <mnaser@vexxhost.com> Co-authored-by: Guilherme Steinmüller <gsteinmuller@vexxhost.com>
1 parent 682296f commit 0c0fe1d

2 files changed

Lines changed: 31 additions & 3 deletions

File tree

doc/source/admin/maintenance.rst

Lines changed: 25 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -106,10 +106,32 @@ control plane nodes:
106106
$ sudo kubeadm certs renew all
107107
108108
Once the certificates have been renewed, you will need to restart the
109-
Kubernetes control plane components to pick up the new certificates. You need
110-
to do this on each one of your control plane nodes by running the following
109+
Kubernetes control plane components to pick up the new certificates. This
110+
includes ``kube-vip``, which mounts ``/etc/kubernetes/admin.conf`` and will
111+
continue using the old client certificate until it restarts. You need to
112+
do this on each one of your control plane nodes by running the following
111113
command one at a time on each node:
112114

113115
.. code-block:: console
114116
115-
$ ps auxf | egrep '(kube-(apiserver|controller-manager|scheduler)|etcd)' | awk '{ print $2 }' | xargs sudo kill
117+
$ ps auxf | egrep '(kube-(apiserver|controller-manager|scheduler|vip)|etcd)' | awk '{ print $2 }' | xargs sudo kill
118+
119+
The ``kube-prometheus-stack`` chart also stores a copy of the etcd healthcheck
120+
client certificate in a Kubernetes Secret. Refresh that Secret after renewing
121+
the certificates so Prometheus can continue scraping etcd:
122+
123+
.. code-block:: console
124+
125+
$ kubectl -n monitoring create secret generic kube-prometheus-stack-etcd-client-cert \
126+
--from-file=ca.crt=/etc/kubernetes/pki/etcd/ca.crt \
127+
--from-file=healthcheck-client.crt=/etc/kubernetes/pki/etcd/healthcheck-client.crt \
128+
--from-file=healthcheck-client.key=/etc/kubernetes/pki/etcd/healthcheck-client.key \
129+
--dry-run=client -o yaml | kubectl apply -f -
130+
131+
Finally, verify that all renewed certificates are in use:
132+
133+
.. code-block:: console
134+
135+
$ sudo kubeadm certs check-expiration
136+
$ kubectl get --raw='/readyz?verbose'
137+
$ kubectl -n kube-system logs kube-apiserver-$(hostname) --since=5m | grep 'certificate has expired'
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
---
2+
fixes:
3+
- |
4+
The certificate renewal maintenance documentation now includes steps to
5+
restart the virtual address component and refresh the Prometheus client
6+
Secret for etcd after certificate renewal.

0 commit comments

Comments
 (0)