Check K8s certificates and attempt to renew expired

check_k8s_certs.sh

#!/usr/bin/env bash

set -e
set -u
set -o pipefail

renew_cert() {
  local cert="${1:-}"
  local renew="n"
  if [[ "${cert:-_unset_}" == "_unset_" ]]; then
    echo >&2 "Cert must be passed as single argument to review_cert(), existing.."
    exit 1
  elif [[ "${cert}" == "ca" ]]; then
    echo >&2 "Unable to renew CA, skipping.."
    return 0
  fi

  echo -n "Renew ${cert}? [y/n] "
  read renew
  case $renew in
  y|Y)
    echo "renewing \"${cert}\".."
    kubeadm alpha certs renew ${cert}
    ;;
  *)
    echo "not renewing ${cert}.."
    ;;
  esac
}

for cert in $(find /etc/kubernetes/pki -maxdepth 1 -name '*.crt'); do
  echo
  echo "## $cert"
  cert_name="$(echo $cert | grep -Po '[^\/]+(?=\.crt)')"
  exp="$(cat $cert | openssl x509 -text -noout | grep -Po '(?<=Not After : ).*$')"
  exp_epoch=$(date +%s -d "$exp"); now_epoch=$(date +%s)
  diff_sec=$[${exp_epoch}-${now_epoch}]
  if [[ ${diff_sec:-0} -gt 0 ]]; then
    diff_day=$[${diff_sec}/60/60/24]
    echo "expires in ${diff_day} days ($exp)"
    if [[ ${diff_day:-0} -lt 30 ]]; then
      renew_cert "${cert_name}"
    fi
  else
    echo "expired $exp"
    renew_cert "${cert_name}"
  fi;
done
echo