sagb commented on issue #9418:
URL: https://github.com/apache/cloudstack/issues/9418#issuecomment-2238602307
The certificates on k8s control nodes are really expired:
```
control-node-1:~# kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n
kube-system get cm kubeadm-config -o yaml'
[check-expiration] Error reading configuration from the Cluster. Falling
back to default configuration
CERTIFICATE EXPIRES RESIDUAL TIME
CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Jul 18, 2024 08:23 UTC <invalid> ca
no
apiserver Jul 18, 2024 08:22 UTC <invalid> ca
no
apiserver-etcd-client Jul 18, 2024 08:22 UTC <invalid> etcd-ca
no
apiserver-kubelet-client Jul 18, 2024 08:22 UTC <invalid> ca
no
controller-manager.conf Jul 18, 2024 08:22 UTC <invalid> ca
no
etcd-healthcheck-client May 26, 2024 08:19 UTC <invalid> etcd-ca
no
etcd-peer May 26, 2024 08:19 UTC <invalid> etcd-ca
no
etcd-server May 26, 2024 08:19 UTC <invalid> etcd-ca
no
front-proxy-client Jul 18, 2024 08:22 UTC <invalid>
front-proxy-ca no
scheduler.conf Jul 18, 2024 08:23 UTC <invalid> ca
no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY
MANAGED
ca May 24, 2033 08:19 UTC 8y no
etcd-ca May 24, 2033 08:19 UTC 8y no
front-proxy-ca May 24, 2033 08:19 UTC 8y no
```
Since Cloudstack shows the expired certificate in "kubernetes control" web
ui page, it has some control over them. How can I trigger the renewal?
It doesn't seem that Cloudstack will be able to connect to the control nodes
later, as it has already been trying for several hours.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
