Config file expiration every 30 days.

[ammarqq]

requirements configFile expiration every next month , and generate another config file?

the needs of this file, to make sure that the cluster is secure . or to generate every 30 days different config file using (pharos up ) to update the cluster with the new config file.

I'm not sure if its duable using cluster.yml.

KR

Ammar.

[ammarqq]

and if the kontena pharos clutser certificate expired how I can generate another certificate and new config file .

KR Ammar.

[ammarqq]

I tried to renew all certificates and generate new certificates manually . as below :

Backup old apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys. sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old

Generate new apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys. sudo kubeadm alpha phase certs apiserver --apiserver-advertise-address 172.16.50.21:6443 sudo kubeadm alpha phase certs apiserver-kubelet-client sudo kubeadm alpha phase certs front-proxy-client

Backup old configuration files sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old

sudo kubeadm alpha phase kubeconfig all --apiserver-advertise-address k8s-jungle-1

it generate a new config file and it works but the workers can't join the master node sudo kubeadm join --token=xxxxxxxxxxxxxxx k8s-jung:6443 --discovery-token-ca-cert-hash sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxx

and workers keeps asking on the new certificates.

could you please help and advice ? if there is any built in in pharos that can help to change the certificates and generate a new config file .

KR Ammar

[Timer]

Just re-run pharos up -- that should do it (I think).

[ammarqq]

Dear Timer ,

Already I did it and it gave me the same kubeConfig file .

[Timer]

Did you re-output the file with pharos kubeconfig > kubeconfig?

[ammarqq]

Yes sir , and I compared it with old file using beyond compare.

its the same file .

[ammarqq]

I tried this

Backup old apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys. sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old

Backup old configuration files sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old

then :

pharos up . it generate kubeconfig file with new key ,but still the old kube confile can access the k8s cluster . I think because generated from the same CA .

how can I generate a new kubeconfig file and to make sure that the old kube config file will not work any more?

[ammarqq]

The issue resolved ,using vault tool.