Last active
November 26, 2023 13:46
-
-
Save ikurni/236845cbbc04c1115e5ab91df4ae3f65 to your computer and use it in GitHub Desktop.
Renew Expired ETCD Certificater for OCP 4.8 Below
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Red Hat Internal KB : | |
| https://access.redhat.com/solutions/7023254?band=se&seSessionId=522ca7b0-a002-43d3-a5d2-9a7e387186c0&seSource=Recommendation&seResourceOriginID=09abffc5-23dc-465e-a013-9e52e91306cf | |
| Openshift 4.8 below doesn't have auto rotation for etcd certificate and it will be expired within 3 years | |
| High Level steps : | |
| 1) Copy etcd-signer and etcd-metric-signer CA from etcd DB to some folder, create the crt and key file for each signer | |
| 2) Backup all manifests for static pods in each master | |
| 3) Backup all existing etcd certificates inside /etc/kubernetes/static-pod-resources/etcd-certs/secrets/ | |
| 4) Create new folder inside above folder ie. call as "all-certs", copy all certificate inside secrets folder to the "all-certs" folder | |
| 5) Put the signer crt and key file to that folder, and create the renew-certificate.sh | |
| 6) Execute the shell file, and it will create new_certificates folder | |
| 7) Check the expiry date inside the certs, make sure it has been renewed | |
| 8) Distribute the cert based on the folder, remove old cert in the "secrets" folder | |
| 9) Reboot the nodes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment