Skip to content

[tools] Add d8 tools pki certs renew for control-plane certificates#368

Draft
trofimovdals wants to merge 1 commit into
mainfrom
feature/tools-pki-certs-renew
Draft

[tools] Add d8 tools pki certs renew for control-plane certificates#368
trofimovdals wants to merge 1 commit into
mainfrom
feature/tools-pki-certs-renew

Conversation

@trofimovdals
Copy link
Copy Markdown
Contributor

@trofimovdals trofimovdals commented May 25, 2026
edited
Loading 

root@trofimov-test:~# /tmp/d8 tools pki certs check
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY
admin.conf                 May 21, 2027 09:31 UTC   360d            ca
apiserver                  May 21, 2027 09:31 UTC   360d            ca
apiserver-etcd-client      May 21, 2027 09:31 UTC   360d            etcd-ca
apiserver-kubelet-client   May 21, 2027 09:31 UTC   360d            ca
controller-manager.conf    May 21, 2027 09:31 UTC   360d            ca
etcd-healthcheck-client    May 21, 2027 09:31 UTC   360d            etcd-ca
etcd-peer                  May 21, 2027 09:31 UTC   360d            etcd-ca
etcd-server                May 21, 2027 09:31 UTC   360d            etcd-ca
front-proxy-client         May 21, 2027 09:31 UTC   360d            front-proxy-ca
scheduler.conf             May 21, 2027 09:31 UTC   360d            ca
super-admin.conf           May 21, 2027 09:31 UTC   360d            ca

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME
ca                      May 18, 2036 09:31 UTC   9y
etcd-ca                 May 18, 2036 09:31 UTC   9y
front-proxy-ca          May 18, 2036 09:31 UTC   9y

root@trofimov-test:~# /tmp/d8 tools pki certs renew all
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY
admin.conf                 May 21, 2027 09:31 UTC   360d            ca
apiserver                  May 25, 2027 15:34 UTC   364d            ca
apiserver-etcd-client      May 25, 2027 15:34 UTC   364d            etcd-ca
apiserver-kubelet-client   May 25, 2027 15:34 UTC   364d            ca
controller-manager.conf    May 21, 2027 09:31 UTC   360d            ca
etcd-healthcheck-client    May 25, 2027 15:34 UTC   364d            etcd-ca
etcd-peer                  May 25, 2027 15:34 UTC   364d            etcd-ca
etcd-server                May 25, 2027 15:34 UTC   364d            etcd-ca
front-proxy-client         May 25, 2027 15:34 UTC   364d            front-proxy-ca
scheduler.conf             May 21, 2027 09:31 UTC   360d            ca
super-admin.conf           May 21, 2027 09:31 UTC   360d            ca

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME
ca                      May 18, 2036 09:31 UTC   9y
etcd-ca                 May 18, 2036 09:31 UTC   9y
front-proxy-ca          May 18, 2036 09:31 UTC   9y

Done. Restart kube-apiserver, kube-controller-manager, kube-scheduler and etcd.

@trofimovdals
add renew command for certs
eda4e99 
Signed-off-by: dmitry.trofimov <dmitry.trofimov@flant.com>
@trofimovdals trofimovdals requested a review from ldmonster as a code owner May 25, 2026 15:42
@trofimovdals trofimovdals marked this pull request as draft May 25, 2026 15:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ldmonster ldmonster Awaiting requested review from ldmonster ldmonster is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@trofimovdals