cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Flight Engineer littlebigfab Flight Engineer
Flight Engineer
  • 528 Views

[DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Hello,

Exploring section 6.6 of DO425 - Guided Exercise: Managing Certificates and Service Transport - I realized that the Kubelet client certificate of the lab environment is expiring in 3 months.

[root@node1 node]# openssl x509 -in certificates/kubelet-client-current.pem \
-text -noout
...output omitted...
    Validity        Not Before: Oct 26 20:08:00 2018 GMT        Not After : Oct 26 20:08:00 2019 GMT

Just to let you know.

Tags (3)
2 Solutions

Accepted Solutions
Moderator
Moderator
  • 249 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

In the meanwhile, instead of modifying the time, please try the following:

  1. Log in to the master node as the root user - which gives the system:admin privilege for the cluster.
  2. Run the following command:

 

oc get csr | awk '/Pending/ {print; system("oc adm certificate approve "$1)}'

This command lists all certificates that are pending approval. Approving this first set of certificates will create another cert of two certificates in a pending state, one for each node.

 

Rerun the command one more time, this will trigger the renewal of the certificates.

 

 

View solution in original post

Reply
Loading...
Moderator
Moderator
  • 165 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

@littlebigfab I just released a new ROL classroom that fixes the issue.

Please delete your environment and reprovision when you have a chance. The new certificate is valid for ten years.

Screenshot 2019-11-06 12.07.37.png

View solution in original post

Reply
Loading...
12 Replies
Moderator
Moderator
  • 525 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Hey, @littlebigfab,

Thanks for pointing this out!

I am certain the course authors have that in mind, but just in case, I have created a ticket for them.

Cheers,
Grega

A black cat crossing the street signifies that the animal is going somewhere.
[don't forget to kudo a helpful post or mark it as a solution!]
Reply
Loading...
Moderator
Moderator
  • 498 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Thanks for letting us know. We have been watching our courses to make sure to renew the applications certificate as they come close to expiration. Thanks @benko for the Jira.

Reply
Loading...
Flight Engineer Vale_Uberti Flight Engineer
Flight Engineer
  • 329 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Hi certificates are expired and the cluster dosen't work.

0 Kudos
Reply
Loading...
Flight Engineer Vale_Uberti Flight Engineer
Flight Engineer
  • 289 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

For using the lab you can apply this UGLY fix:

1) stop all the vms except the classroom

2) login as root in the classroom vm

3) stop the chronyd service

4) comment lines from 3 to 6 of /etc/chronyd.conf

5) timedatectl set-time "2019-07-07" (or something between 2018-10-26 2019-10-26)

6) restart chronyd and restart all the stopped vm.

0 Kudos
Reply
Loading...
Moderator
Moderator
  • 268 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Thanks for the tip @Vale_Uberti I will be working within the next few days on updating the classroom and will keep you posted.

Reply
Loading...
Moderator
Moderator
  • 250 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

In the meanwhile, instead of modifying the time, please try the following:

  1. Log in to the master node as the root user - which gives the system:admin privilege for the cluster.
  2. Run the following command:

 

oc get csr | awk '/Pending/ {print; system("oc adm certificate approve "$1)}'

This command lists all certificates that are pending approval. Approving this first set of certificates will create another cert of two certificates in a pending state, one for each node.

 

Rerun the command one more time, this will trigger the renewal of the certificates.

 

 

View solution in original post

Reply
Loading...
Flight Engineer Vale_Uberti Flight Engineer
Flight Engineer
  • 244 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Thank you very much @Razique: it works

0 Kudos
Reply
Loading...
Moderator
Moderator
  • 242 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Happy to hear that @Vale_Uberti. Kudos to Ryan from the cert team to help me finding a temporary workaround while I work on releasing a new blueprint Smiley Very Happy

Reply
Loading...
Moderator
Moderator
  • 190 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Exercise for instructors and advanced students out there: rewrite Razique's pipeline using only '-o jsonpath' from oc get and a while loop from Bash. :-)

Then rewrite it again using the K8s module from Ansible. :-P

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.