Created
June 4, 2020 15:50
-
-
Save ethinx/c0ede41a7a6a340681476ef564ea75f2 to your computer and use it in GitHub Desktop.
k3s cert rotation https://github.com/rancher/k3s/issues/1621
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@localhost ~]# INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh | |
[INFO] Skipping k3s download and verify | |
[INFO] Creating /usr/local/bin/kubectl symlink to k3s | |
[INFO] Creating /usr/local/bin/crictl symlink to k3s | |
[INFO] Skipping /usr/local/bin/ctr symlink to k3s, command exists in PATH at /bin/ctr | |
[INFO] Creating killall script /usr/local/bin/k3s-killall.sh | |
[INFO] Creating uninstall script /usr/local/bin/k3s-uninstall.sh | |
[INFO] env: Creating environment file /etc/systemd/system/k3s.service.env | |
[INFO] systemd: Creating service file /etc/systemd/system/k3s.service | |
[INFO] systemd: Enabling k3s unit | |
Created symlink from /etc/systemd/system/multi-user.target.wants/k3s.service to /etc/systemd/system/k3s.service. | |
[INFO] systemd: Starting k3s | |
[root@localhost ~]# | |
[root@localhost ~]# k3s kubectl get pods -n kube-system | |
NAME READY STATUS RESTARTS AGE | |
metrics-server-6d684c7b5-4lwbj 1/1 Running 0 58s | |
local-path-provisioner-58fb86bdfd-9mp9d 1/1 Running 0 58s | |
helm-install-traefik-h9j2t 0/1 Completed 1 58s | |
svclb-traefik-98rl7 2/2 Running 0 52s | |
coredns-6c6bb68b64-pl8nt 1/1 Running 0 58s | |
traefik-7b8b884c8-llffl 1/1 Running 0 52s | |
[root@localhost ~]# date | |
Thu Jun 4 15:41:44 UTC 2020 | |
[root@localhost ~]# cd /var/lib/rancher/k3s/server/ | |
[root@localhost server]# > /var/log/messages | |
(reverse-i-search)`stop': systemctl ^Cop k3s | |
[root@localhost server]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done | |
ls: cannot access *.crt: No such file or directory | |
[root@localhost server]# cd tls/ | |
[root@localhost tls]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done | |
client-admin.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-auth-proxy.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-ca.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 2 15:40:24 2030 GMT | |
client-cloud-controller.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-controller.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-k3s-controller.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-kube-apiserver.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-kube-proxy.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
client-scheduler.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
request-header-ca.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 2 15:40:24 2030 GMT | |
server-ca.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 2 15:40:24 2030 GMT | |
serving-kube-apiserver.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
[root@localhost tls]# date | |
Thu Jun 4 15:42:54 UTC 2020 | |
[root@localhost tls]# systemctl stop k3s | |
[root@localhost tls]# date -s 20210515 | |
Sat May 15 00:00:00 UTC 2021 | |
[root@localhost tls]# hwclock -w | |
[root@localhost tls]# date | |
Sat May 15 00:00:05 UTC 2021 | |
[root@localhost tls]# systemctl restart k3s | |
[root@localhost tls]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done | |
client-admin.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-auth-proxy.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-ca.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 2 15:40:24 2030 GMT | |
client-cloud-controller.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-controller.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-k3s-controller.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-kube-apiserver.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-kube-proxy.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
client-scheduler.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
request-header-ca.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 2 15:40:24 2030 GMT | |
server-ca.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 2 15:40:24 2030 GMT | |
serving-kube-apiserver.crt | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:00:12 2022 GMT | |
[root@localhost tls]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done^C | |
[root@localhost tls]# openssl s_client -connect localhost:6443 -showcerts </dev/null 2>&1 | openssl x509 -noout -startdate -enddate | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=Jun 4 15:40:24 2021 GMT | |
[root@localhost tls]# k3s kubectl get secret -n kube-system | |
NAME TYPE DATA AGE | |
pv-protection-controller-token-7nfb7 kubernetes.io/service-account-token 3 344d | |
certificate-controller-token-rpglh kubernetes.io/service-account-token 3 344d | |
node-controller-token-t4fpz kubernetes.io/service-account-token 3 344d | |
pod-garbage-collector-token-d4pkm kubernetes.io/service-account-token 3 344d | |
service-controller-token-9tqgk kubernetes.io/service-account-token 3 344d | |
deployment-controller-token-6vvgg kubernetes.io/service-account-token 3 344d | |
namespace-controller-token-2nl5p kubernetes.io/service-account-token 3 344d | |
replication-controller-token-rvfst kubernetes.io/service-account-token 3 344d | |
cronjob-controller-token-p4hhx kubernetes.io/service-account-token 3 344d | |
resourcequota-controller-token-7wxq8 kubernetes.io/service-account-token 3 344d | |
expand-controller-token-w9hgk kubernetes.io/service-account-token 3 344d | |
clusterrole-aggregation-controller-token-d95f6 kubernetes.io/service-account-token 3 344d | |
disruption-controller-token-d58ds kubernetes.io/service-account-token 3 344d | |
coredns-token-m6n4k kubernetes.io/service-account-token 3 344d | |
k3s-serving kubernetes.io/tls 2 344d | |
local-path-provisioner-service-account-token-k9nrl kubernetes.io/service-account-token 3 344d | |
ttl-controller-token-hflgx kubernetes.io/service-account-token 3 344d | |
persistent-volume-binder-token-2qw4t kubernetes.io/service-account-token 3 344d | |
metrics-server-token-gcwvl kubernetes.io/service-account-token 3 344d | |
helm-traefik-token-vs8fb kubernetes.io/service-account-token 3 344d | |
endpoint-controller-token-nclfj kubernetes.io/service-account-token 3 344d | |
generic-garbage-collector-token-njjk6 kubernetes.io/service-account-token 3 344d | |
replicaset-controller-token-pqnk8 kubernetes.io/service-account-token 3 344d | |
pvc-protection-controller-token-jzjn2 kubernetes.io/service-account-token 3 344d | |
statefulset-controller-token-sch87 kubernetes.io/service-account-token 3 344d | |
attachdetach-controller-token-bh9br kubernetes.io/service-account-token 3 344d | |
horizontal-pod-autoscaler-token-k8tb8 kubernetes.io/service-account-token 3 344d | |
service-account-controller-token-wlddj kubernetes.io/service-account-token 3 344d | |
daemon-set-controller-token-p4xs6 kubernetes.io/service-account-token 3 344d | |
job-controller-token-sz8x4 kubernetes.io/service-account-token 3 344d | |
default-token-4d685 kubernetes.io/service-account-token 3 344d | |
traefik-default-cert Opaque 2 344d | |
traefik-token-5vpbt kubernetes.io/service-account-token 3 344d | |
sh.helm.release.v1.traefik.v1 helm.sh/release.v1 1 344d | |
[root@localhost tls]# kubectl delete secret -n kube-system k3s-serving^C | |
[root@localhost tls]# ls | |
client-admin.crt client-ca.key client-k3s-controller.crt client-kube-proxy.crt request-header-ca.crt serving-kube-apiserver.crt | |
client-admin.key client-cloud-controller.crt client-k3s-controller.key client-kube-proxy.key request-header-ca.key serving-kube-apiserver.key | |
client-auth-proxy.crt client-cloud-controller.key client-kube-apiserver.crt client-scheduler.crt server-ca.crt serving-kubelet.key | |
client-auth-proxy.key client-controller.crt client-kube-apiserver.key client-scheduler.key server-ca.key temporary-certs | |
client-ca.crt client-controller.key client-kubelet.key dynamic-cert.json service.key | |
[root@localhost tls]# mkdir bak | |
[root@localhost tls]# mv dynamic-cert.json bak/ | |
[root@localhost tls]# kubectl get secret -n kube-system k3s-serving -o yaml > bak/k3s-serving.bak.yaml | |
[root@localhost tls]# kubectl delete secret -n kube-system k3s-serving | |
secret "k3s-serving" deleted | |
[root@localhost tls]# systemctl restart k3s | |
[root@localhost tls]# openssl s_client -connect localhost:6443 -showcerts </dev/null 2>&1 | openssl x509 -noout -startdate -enddate | |
notBefore=Jun 4 15:40:24 2020 GMT | |
notAfter=May 15 00:02:37 2022 GMT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for this:
I'm appreciate that!+++ )