pharos-cluster
pharos-cluster copied to clipboard
kontena
Config file expiration every 30 days.
requirements configFile expiration every next month , and generate another config file?
the needs of this file, to make sure that the cluster is secure . or to generate every 30 days different config file using (pharos up ) to update the cluster with the new config file.
I'm not sure if its duable using cluster.yml.
KR
Ammar.
and if the kontena pharos clutser certificate expired how I can generate another certificate and new config file .
KR Ammar.
I tried to renew all certificates and generate new certificates manually . as below :
Backup old apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys. sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
Generate new apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys. sudo kubeadm alpha phase certs apiserver --apiserver-advertise-address 172.16.50.21:6443 sudo kubeadm alpha phase certs apiserver-kubelet-client sudo kubeadm alpha phase certs front-proxy-client
Backup old configuration files sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
sudo kubeadm alpha phase kubeconfig all --apiserver-advertise-address k8s-jungle-1
it generate a new config file and it works but the workers can't join the master node sudo kubeadm join --token=xxxxxxxxxxxxxxx k8s-jung:6443 --discovery-token-ca-cert-hash sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxx
and workers keeps asking on the new certificates.
could you please help and advice ? if there is any built in in pharos that can help to change the certificates and generate a new config file .
KR Ammar
Yes sir , and I compared it with old file using beyond compare.
its the same file .
I tried this
Backup old apiserver, apiserver-kubelet-client, and front-proxy-client certs and keys. sudo mv /etc/kubernetes/pki/apiserver.key /etc/kubernetes/pki/apiserver.key.old sudo mv /etc/kubernetes/pki/apiserver.crt /etc/kubernetes/pki/apiserver.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.crt /etc/kubernetes/pki/apiserver-kubelet-client.crt.old sudo mv /etc/kubernetes/pki/apiserver-kubelet-client.key /etc/kubernetes/pki/apiserver-kubelet-client.key.old sudo mv /etc/kubernetes/pki/front-proxy-client.crt /etc/kubernetes/pki/front-proxy-client.crt.old sudo mv /etc/kubernetes/pki/front-proxy-client.key /etc/kubernetes/pki/front-proxy-client.key.old
Backup old configuration files sudo mv /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.old sudo mv /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.old sudo mv /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.old sudo mv /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.old
then :
pharos up . it generate kubeconfig file with new key ,but still the old kube confile can access the k8s cluster . I think because generated from the same CA .
how can I generate a new kubeconfig file and to make sure that the old kube config file will not work any more?