Rotate Kubernetes Certificates
During SevOne Data Insight upgrade, the k3s service automatically rotates certificates that are due to expire within 90 days. In the event that they expire before k3s is able to rotate them, you will need to rotate manually.
$ kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid
Backup TLS Directory
As a precautionary measure, backup the TLS directory.
$ sudo tar -czvf /var/lib/rancher/k3s/server/tls.tgz /var/lib/rancher/k3s/server/tls
Generate New Certificates
- Remove the cached certificate from a Kubernetes
secret.
$ sudo rm /var/lib/rancher/k3s/server/tls/dynamic-cert.json
- Restart k3s service to rotate the
certificates.
$ sudo systemctl restart k3s
Note: You can now run Kubernetes commands. This will allow you to backup your all-important security keys in case you have not done so already.
Refresh Kubernetes Config
After rotating the Kubernetes certificates, the Kubernetes configuration file must be refreshed to apply the new certificates.
Refresh Kubernetes config file
for 'root' user
$ sudo cp /etc/rancher/k3s/k3s.yaml /root/.kube/config
for 'sevone' user
$ sudo cp /etc/rancher/k3s/k3s.yaml /home/sevone/.kube/config
$ sudo chown -R sevone:sevone /home/sevone/.kube
Verify Certificates
To verify the certificates, execute the following commands.
$ sudo -i
$ for i in `ls /var/lib/rancher/k3s/server/tls/*.crt`; \
do echo $i; openssl x509 -enddate -noout -in $i; \
echo "---"; done