Skip to content

Instantly share code, notes, and snippets.

@ikurni
Last active November 26, 2023 13:46
Show Gist options
  • Save ikurni/236845cbbc04c1115e5ab91df4ae3f65 to your computer and use it in GitHub Desktop.
Save ikurni/236845cbbc04c1115e5ab91df4ae3f65 to your computer and use it in GitHub Desktop.
Renew Expired ETCD Certificater for OCP 4.8 Below
Red Hat Internal KB :
https://access.redhat.com/solutions/7023254?band=se&seSessionId=522ca7b0-a002-43d3-a5d2-9a7e387186c0&seSource=Recommendation&seResourceOriginID=09abffc5-23dc-465e-a013-9e52e91306cf
Openshift 4.8 below doesn't have auto rotation for etcd certificate and it will be expired within 3 years
High Level steps :
1) Copy etcd-signer and etcd-metric-signer CA from etcd DB to some folder, create the crt and key file for each signer
2) Backup all manifests for static pods in each master
3) Backup all existing etcd certificates inside /etc/kubernetes/static-pod-resources/etcd-certs/secrets/
4) Create new folder inside above folder ie. call as "all-certs", copy all certificate inside secrets folder to the "all-certs" folder
5) Put the signer crt and key file to that folder, and create the renew-certificate.sh
6) Execute the shell file, and it will create new_certificates folder
7) Check the expiry date inside the certs, make sure it has been renewed
8) Distribute the cert based on the folder, remove old cert in the "secrets" folder
9) Reboot the nodes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment