cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
littlebigfab
Flight Engineer Flight Engineer
Flight Engineer
‎07-20-2019 01:41 PM
  • 1,740 Views

[DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Hello,

Exploring section 6.6 of DO425 - Guided Exercise: Managing Certificates and Service Transport - I realized that the Kubelet client certificate of the lab environment is expiring in 3 months.

[root@node1 node]# openssl x509 -in certificates/kubelet-client-current.pem \
-text -noout
...output omitted...
    Validity
       Not Before: Oct 26 20:08:00 2018 GMT
       Not After : Oct 26 20:08:00 2019 GMT

Just to let you know.

Tags (3)
Join the discussion
2 Solutions

Accepted Solutions
Razique
Flight Engineer Flight Engineer
Flight Engineer
‎11-01-2019 03:33 PM
  • 1,461 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

In the meanwhile, instead of modifying the time, please try the following:

  1. Log in to the master node as the root user - which gives the system:admin privilege for the cluster.
  2. Run the following command:

 

oc get csr | awk '/Pending/ {print; system("oc adm certificate approve "$1)}'

This command lists all certificates that are pending approval. Approving this first set of certificates will create another cert of two certificates in a pending state, one for each node.

 

Rerun the command one more time, this will trigger the renewal of the certificates.

 

 

View solution in original post

Reply
Loading...
Razique
Flight Engineer Flight Engineer
Flight Engineer
‎11-07-2019 12:53 AM
  • 1,753 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

@littlebigfab I just released a new ROL classroom that fixes the issue.

Please delete your environment and reprovision when you have a chance. The new certificate is valid for ten years.

Screenshot 2019-11-06 12.07.37.png

View solution in original post

Reply
Loading...
12 Replies
oldbenko
Moderator
Moderator
‎07-20-2019 01:57 PM
  • 1,737 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Hey, @littlebigfab,

Thanks for pointing this out!

I am certain the course authors have that in mind, but just in case, I have created a ticket for them.

Cheers,
Grega

A black cat crossing the street signifies that the animal is going somewhere.
[don't forget to kudo a helpful post or mark it as a solution!]
Reply
Loading...
Razique
Flight Engineer Flight Engineer
Flight Engineer
‎07-23-2019 03:36 AM
  • 1,710 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Thanks for letting us know. We have been watching our courses to make sure to renew the applications certificate as they come close to expiration. Thanks @oldbenko for the Jira.

Reply
Loading...
Vale_Uberti
Flight Engineer Flight Engineer
Flight Engineer
‎10-30-2019 05:05 AM
  • 1,541 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Hi certificates are expired and the cluster dosen't work.

0 Kudos
Reply
Loading...
Vale_Uberti
Flight Engineer Flight Engineer
Flight Engineer
‎10-31-2019 04:29 PM
  • 1,501 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

For using the lab you can apply this UGLY fix:

1) stop all the vms except the classroom

2) login as root in the classroom vm

3) stop the chronyd service

4) comment lines from 3 to 6 of /etc/chronyd.conf

5) timedatectl set-time "2019-07-07" (or something between 2018-10-26 2019-10-26)

6) restart chronyd and restart all the stopped vm.

0 Kudos
Reply
Loading...
Razique
Flight Engineer Flight Engineer
Flight Engineer
‎10-31-2019 06:11 PM
  • 1,480 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Thanks for the tip @Vale_Uberti I will be working within the next few days on updating the classroom and will keep you posted.

Reply
Loading...
Razique
Flight Engineer Flight Engineer
Flight Engineer
‎11-01-2019 03:33 PM
  • 1,462 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

In the meanwhile, instead of modifying the time, please try the following:

  1. Log in to the master node as the root user - which gives the system:admin privilege for the cluster.
  2. Run the following command:

 

oc get csr | awk '/Pending/ {print; system("oc adm certificate approve "$1)}'

This command lists all certificates that are pending approval. Approving this first set of certificates will create another cert of two certificates in a pending state, one for each node.

 

Rerun the command one more time, this will trigger the renewal of the certificates.

 

 

View solution in original post

Reply
Loading...
Vale_Uberti
Flight Engineer Flight Engineer
Flight Engineer
‎11-01-2019 05:57 PM
  • 1,456 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Thank you very much @Razique: it works

0 Kudos
Reply
Loading...
Razique
Flight Engineer Flight Engineer
Flight Engineer
‎11-01-2019 06:00 PM
  • 1,454 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Happy to hear that @Vale_Uberti. Kudos to Ryan from the cert team to help me finding a temporary workaround while I work on releasing a new blueprint Smiley Very Happy

Reply
Loading...
flozano
Moderator
Moderator
‎11-05-2019 02:10 AM
  • 1,402 Views

Re: [DO425] Caution: Kubelet client certificate expiring soon

Jump to solution

Exercise for instructors and advanced students out there: rewrite Razique's pipeline using only '-o jsonpath' from oc get and a while loop from Bash. :-)

Then rewrite it again using the K8s module from Ansible. :-P

0 Kudos
Reply
Loading...
Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2021 Red Hat, Inc. Privacy policy Terms of use