kiranchavala commented on issue #9418: URL: https://github.com/apache/cloudstack/issues/9418#issuecomment-2250135189
@sagb Cloudstack doesn't provide a way to automatic renewal k8s component certificates. Your request can be an improvement request. When you launch a cks cluster , internally CKS uses kubeadm to setup the kubernetes cluster Client certificates generated by [kubeadm](https://kubernetes.io/docs/reference/setup-tools/kubeadm/) expire after 1 year. ``` root@test-control-190e8277e14:~# kubeadm certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Jul 25, 2025 04:32 UTC 364d ca no apiserver Jul 25, 2025 04:32 UTC 364d ca no apiserver-etcd-client Jul 25, 2025 04:32 UTC 364d etcd-ca no apiserver-kubelet-client Jul 25, 2025 04:32 UTC 364d ca no controller-manager.conf Jul 25, 2025 04:32 UTC 364d ca no etcd-healthcheck-client Jul 25, 2025 04:32 UTC 364d etcd-ca no etcd-peer Jul 25, 2025 04:32 UTC 364d etcd-ca no etcd-server Jul 25, 2025 04:32 UTC 364d etcd-ca no front-proxy-client Jul 25, 2025 04:32 UTC 364d front-proxy-ca no scheduler.conf Jul 25, 2025 04:32 UTC 364d ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Jul 23, 2034 04:32 UTC 9y no etcd-ca Jul 23, 2034 04:32 UTC 9y no front-proxy-ca Jul 23, 2034 04:32 UTC 9y no ``` Its up the admin user to login to control node and renew the client certificates As a workaround Login to the control node and try to delete the following pods after executing "kubeadm certs renew all". ``` root@primary1-node:~# kubectl delete pod -n kube-system -l component=kube-apiserver root@primary1-node:~# kubectl delete pod -n kube-system -l component=kube-scheduler root@primary1-node:~# kubectl delete pod -n kube-system -l component=kube-controller-manager root@primary1-node:~# kubectl delete pod -n kube-system -l component=etcd ``` Another workaround is to upgrade the kubernetes version kubeadm renews all the certificates during control plane [upgrade](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade/). Register 1.28.4 cks iso and upgrade the cks cluster which should renew the certificates https://download.cloudstack.org/cks/ ref: https://www.juniper.net/documentation/us/en/software/paragon-automation23.2/paragon-automation-troubleshooting-guide/topics/task/tg-manual-renew-kubeadm-cert.html https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
