Created
April 26, 2018 19:30
-
-
Save cmcconnell1/54ae82a71c5a73c9f9bcbaf1edf861d1 to your computer and use it in GitHub Desktop.
Distributes updated x509 tls certs to etcd2 kube nodes and resolves outdated cert problems
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # | |
| # Summary: | |
| # Distributes updated x509 tls certs and resolves outdate cert problems which effectively kill your kube cluster | |
| # ref: https://github.com/kubernetes-incubator/kube-aws/issues/1132 | |
| # ref: https://github.com/kubernetes-incubator/kube-aws/issues/1057 | |
| # | |
| # NOTES: Ensure this is the correct process for your etcd2 kube cluster before using. | |
| # Test on a dev/test cluster first. | |
| # Use at own risk. | |
| # | |
| # OBSERVATIONS: | |
| # Output of etcdctl cluster-health shows x509 cert errors: | |
| # etcdctl cluster-health | |
| # cluster may be unhealthy: failed to list members | |
| # Error: client: etcd cluster is unavailable or misconfigured | |
| # error #0: x509: certificate has expired or is not yet valid | |
| # | |
| # TESTED/VALIDATED ON BELOW VERSION: | |
| # KUBE-AWS-VERSION: v0.9.3-rc.5 | |
| # AMI-ID: ami-b31d43d3 | |
| # | |
| # STEPS: | |
| # | |
| # 1. Follow your kube provisioning process to update your certificates | |
| # for kube-aws this appears to be a moving target for future releases but older releases were essentially | |
| # kube-aws render credentials | |
| # kube-aws update | |
| # | |
| # 2. Modify this script to include all of your etcd2 nodes IP addresses | |
| # | |
| # 3. Either cd into the updated $kube_cluster/credentials directory or modify path if desired | |
| # | |
| # 4. Execute this script with no args | |
| # scp updated certs to etcd2 nodes | |
| for i in ca.pem ca.pem.enc etcd-client-key.pem etcd-client-key.pem.enc etcd-client.pem etcd-client.pem.enc etcd-key.pem etcd-key.pem.enc etcd.pem etcd.pem.enc ; do | |
| scp $i [email protected]:/var/tmp | |
| scp $i [email protected]:/var/tmp | |
| scp $i [email protected]:/var/tmp | |
| # add additional etcd2 nodes here | |
| done | |
| # move to correct locations and set requisite perms, etc. | |
| ssh [email protected] "sudo mv /var/tmp/*.pem /etc/etcd2/ssl; sudo mv /var/tmp/*.enc /etc/etcd2/ssl; sudo chown root:root /etc/etcd2/ssl/*; sudo systemctl restart etcd2; sudo systemctl status etcd2" | |
| ssh [email protected] "sudo mv /var/tmp/*.pem /etc/etcd2/ssl; sudo mv /var/tmp/*.enc /etc/etcd2/ssl; sudo chown root:root /etc/etcd2/ssl/*; sudo systemctl restart etcd2; sudo systemctl status etcd2" | |
| ssh [email protected] "sudo mv /var/tmp/*.pem /etc/etcd2/ssl; sudo mv /var/tmp/*.enc /etc/etcd2/ssl; sudo chown root:root /etc/etcd2/ssl/*; sudo systemctl restart etcd2; sudo systemctl status etcd2" | |
| # add additional etcd2 nodes here |
your api-server,pem will also expire. you need to be rotating that as well. What is the method you tried
for those coming after, my /etc/etcd-environment had a number of arguments that specified the /etc/ssl/certs directory as the place needed for those values
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
have you tried this script with etcd3? kube-aws now ships with etcd 3.x