cfergeau · January 13, 2020 08:05
diff --git a/README.md b/README.md
diff --git a/fix-certs.sh b/fix-certs.sh
 #!/bin/bash

 set -x

 SSH="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.crc/machines/crc/id_rsa"
 HOST=$(crc ip)

 function run_remote_command {
        if [ $# -lt 1 ]; then
                echo "Missing command"
                exit 1
        fi
        ${SSH} core@${HOST} $@
 }

 function run_remote_script {
        if [ $# -ne 1 ]; then
                echo "Missing script or too many arguments"
                exit 1
        fi
        if ! copy_file "$1" $(basename $1); then
                return
        fi
        run_remote_command "sudo sh $(basename $1) && rm $(basename $1)"
 }

 function copy_file {
        if [ $# -ne 2 ]; then
                echo "Wrong number of arguments"
                exit 1
        fi

        rsync -avP -e "${SSH}" "$1" "core@${HOST}:$2"
 }

 # check bundle version ? must be a 4.2 bundle
 # check cert expiry date

 if [ ! -f ~/.crc/machines/crc/id_rsa ]; then
        echo "crc machine was never started, this script cannot currently recover it"
        exit 1
 fi

 if ! run_remote_command 'stat /var/lib/kubelet/config.json'; then
        if [ -z $PULL_SECRET_FILE ]; then
                echo "Pull secret is missing, you need to set PULL_SECRET_FILE in your environment before running this script"
                exit 1
        else
                if ! copy_file "$PULL_SECRET_FILE" config.json; then
                        echo "Failed to copy pull secret"
                        exit 1
                fi
                run_remote_command "sudo mv config.json /var/lib/kubelet/"
        fi
 fi

 # if kubelet is already running, this will be a noop
 run_remote_command 'sudo systemctl start kubelet'

 if run_remote_script regenerate-certs.sh; then
        echo "Cluster certificates were successfully regenerated, the cluster now needs several minutes to settle"
        # check cluster is ready with ??
 else
        echo "Error trying to regenerate cluster certificates"
        exit 1
 fi
diff --git a/regenerate-certs.sh b/regenerate-certs.sh
 #!/bin/bash
 # This script follows https://docs.openshift.com/container-platform/4.1/backup_and_restore/disaster_recovery/scenario-3-expired-certs.html
 # https://github.com/openshift/openshift-docs/blob/master/modules/dr-recover-expired-control-plane-certs.adoc

 set -x


 export RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:4.2.2"
 export KAO_IMAGE=$( oc adm release info --registry-config='/var/lib/kubelet/config.json' "${RELEASE_IMAGE}" --image-for=cluster-kube-apiserver-operator )
 podman pull --authfile=/var/lib/kubelet/config.json "${KAO_IMAGE}"
 RECOVERY_OUTPUT=$(podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" recovery-apiserver create)
 KUBECONFIG=$(echo $RECOVERY_OUTPUT|grep "export KUBECONFIG"|tail -1 | sed "s/^.*export KUBECONFIG=//" | tr -d '\r\n')

 export KUBECONFIG

 #until oc get namespace kube-system 2>/dev/null 1>&2; do echo 'Waiting for recovery apiserver to come up.'; sleep 1; done
 until oc get namespace kube-system ; do echo 'Waiting for recovery apiserver to come up.'; sleep 1; done

 podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" regenerate-certificates

 oc patch kubeapiserver cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
 oc patch kubecontrollermanager cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
 oc patch kubescheduler cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge

 /usr/local/bin/recover-kubeconfig.sh >kubeconfig
 mv kubeconfig /etc/kubernetes/kubeconfig

 oc get configmap kube-apiserver-to-kubelet-client-ca -n openshift-kube-apiserver-operator --template='{{ index .data "ca-bundle.crt" }}' > /etc/kubernetes/kubelet-ca.crt
 touch /run/machine-config-daemon-force

 systemctl stop kubelet
 rm -rf /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig
 crictl stopp $(sudo crictl pods -q)
 crictl rmp $(sudo crictl pods -q)
 systemctl start kubelet

 until oc get csr | grep Pending; do echo 'Waiting for first CSR request.'; sleep 1; done
 for CSR in $(oc get csr | grep Pending | awk '{print $1}'); do
 	oc adm certificate approve $CSR;
 done

 until oc get csr | grep Pending; do echo 'Waiting for second CSR request.'; sleep 1; done
 for CSR in $(oc get csr | grep Pending | awk '{print $1}'); do
 	oc adm certificate approve $CSR;
 done

 #echo "kubeconfig: $KUBECONFIG"
 podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" recovery-apiserver destroy
	#!/bin/bash

	set -x

	SSH="ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i ~/.crc/machines/crc/id_rsa"
	HOST=$(crc ip)

	function run_remote_command {
	if [ $# -lt 1 ]; then
	echo "Missing command"
	exit 1
	fi
	${SSH} core@${HOST} $@
	}

	function run_remote_script {
	if [ $# -ne 1 ]; then
	echo "Missing script or too many arguments"
	exit 1
	fi
	if ! copy_file "$1" $(basename $1); then
	return
	fi
	run_remote_command "sudo sh $(basename $1) && rm $(basename $1)"
	}

	function copy_file {
	if [ $# -ne 2 ]; then
	echo "Wrong number of arguments"
	exit 1
	fi

	rsync -avP -e "${SSH}" "$1" "core@${HOST}:$2"
	}

	# check bundle version ? must be a 4.2 bundle
	# check cert expiry date

	if [ ! -f ~/.crc/machines/crc/id_rsa ]; then
	echo "crc machine was never started, this script cannot currently recover it"
	exit 1
	fi

	if ! run_remote_command 'stat /var/lib/kubelet/config.json'; then
	if [ -z $PULL_SECRET_FILE ]; then
	echo "Pull secret is missing, you need to set PULL_SECRET_FILE in your environment before running this script"
	exit 1
	else
	if ! copy_file "$PULL_SECRET_FILE" config.json; then
	echo "Failed to copy pull secret"
	exit 1
	fi
	run_remote_command "sudo mv config.json /var/lib/kubelet/"
	fi
	fi

	# if kubelet is already running, this will be a noop
	run_remote_command 'sudo systemctl start kubelet'

	if run_remote_script regenerate-certs.sh; then
	echo "Cluster certificates were successfully regenerated, the cluster now needs several minutes to settle"
	# check cluster is ready with ??
	else
	echo "Error trying to regenerate cluster certificates"
	exit 1
	fi
	#!/bin/bash
	# This script follows https://docs.openshift.com/container-platform/4.1/backup_and_restore/disaster_recovery/scenario-3-expired-certs.html
	# https://github.com/openshift/openshift-docs/blob/master/modules/dr-recover-expired-control-plane-certs.adoc

	set -x


	export RELEASE_IMAGE="quay.io/openshift-release-dev/ocp-release:4.2.2"
	export KAO_IMAGE=$( oc adm release info --registry-config='/var/lib/kubelet/config.json' "${RELEASE_IMAGE}" --image-for=cluster-kube-apiserver-operator )
	podman pull --authfile=/var/lib/kubelet/config.json "${KAO_IMAGE}"
	RECOVERY_OUTPUT=$(podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" recovery-apiserver create)
	KUBECONFIG=$(echo $RECOVERY_OUTPUT\|grep "export KUBECONFIG"\|tail -1 \| sed "s/^.*export KUBECONFIG=//" \| tr -d '\r\n')

	export KUBECONFIG

	#until oc get namespace kube-system 2>/dev/null 1>&2; do echo 'Waiting for recovery apiserver to come up.'; sleep 1; done
	until oc get namespace kube-system ; do echo 'Waiting for recovery apiserver to come up.'; sleep 1; done

	podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" regenerate-certificates

	oc patch kubeapiserver cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
	oc patch kubecontrollermanager cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
	oc patch kubescheduler cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge

	/usr/local/bin/recover-kubeconfig.sh >kubeconfig
	mv kubeconfig /etc/kubernetes/kubeconfig

	oc get configmap kube-apiserver-to-kubelet-client-ca -n openshift-kube-apiserver-operator --template='{{ index .data "ca-bundle.crt" }}' > /etc/kubernetes/kubelet-ca.crt
	touch /run/machine-config-daemon-force

	systemctl stop kubelet
	rm -rf /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig
	crictl stopp $(sudo crictl pods -q)
	crictl rmp $(sudo crictl pods -q)
	systemctl start kubelet

	until oc get csr \| grep Pending; do echo 'Waiting for first CSR request.'; sleep 1; done
	for CSR in $(oc get csr \| grep Pending \| awk '{print $1}'); do
	oc adm certificate approve $CSR;
	done

	until oc get csr \| grep Pending; do echo 'Waiting for second CSR request.'; sleep 1; done
	for CSR in $(oc get csr \| grep Pending \| awk '{print $1}'); do
	oc adm certificate approve $CSR;
	done

	#echo "kubeconfig: $KUBECONFIG"
	podman run -it --network=host -v /etc/kubernetes/:/etc/kubernetes/:Z --entrypoint=/usr/bin/cluster-kube-apiserver-operator "${KAO_IMAGE}" recovery-apiserver destroy