How to renew or recreate a node's certificate in Openshift 4.x / OKD 4.x

How to renew or recreate a node's certificate in Openshift 4.x / OKD 4.x

kasus ini biasanya terjadi ketika sebuah node  meminta approval certificate namun tidak diapprove oleh admin (mungkin karena lupa atau tidak tau ada permintaan approval)

Biasanya node openshift akan meminta approval certificate pada waktu tertentu, jika suatu certificate tidak diapprove terkadang node yg bersangkutan akan error dan tidak melakukan request ulang secara otomatis, jadi kita perlu melakukan trigger pada node yg error untuk meminta approval certificate ulang, biasanya akan muncul error seperti dibawah ini

Unable to authenticate the request due to an error: x509: certificate signed by unknown authority
kubelet.go:2274] node "master-00.example.com" not found

untuk mengatasi masalah tersebut, bisa melakukan renew pada node yang sertifikatnya bermasalah

  • pastikan bisa akses mengunakan oc dengan hak akses cluster-admin
$ oc whoami 
system:admin
  • cek apakah ada sertifikat CSR  ada yg pending
$ oc get csr | grep Pending
#!/bin/bash

set -eou pipefail

# context
intapi=$(oc get infrastructures.config.openshift.io cluster -o "jsonpath={.status.apiServerInternalURI}")
context="$(oc config current-context)"
# cluster
cluster="$(oc config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")"
server="$(oc config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")"
# token
ca_crt_data="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.ca\.crt}" | base64 --decode)"
namespace="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token  -o "jsonpath={.data.namespace}" | base64 --decode)"
token="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.token}" | base64 --decode)"

export KUBECONFIG="$(mktemp)"
oc config set-credentials "kubelet" --token="$token" >/dev/null
ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt
oc config set-cluster $cluster --server="$intapi" --certificate-authority="$ca_crt" --embed-certs >/dev/null
oc config set-context kubelet --cluster="$cluster" --user="kubelet" >/dev/null
oc config use-context kubelet >/dev/null
cat "$KUBECONFIG"
$ chmod 755 recover_kubeconfig.sh
$ ./recover_kubeconfig.sh > kubeconfig-bootstrap
# systemctl stop kubelet
# mkdir -p /root/backup-certs
# cp -a /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig /root/backup-certs
# rm -rf /var/lib/kubelet/pki /var/lib/kubelet/kubeconfig
bastion# scp kubeconfig-bootstrap core@master00.example.com:/var/home/core
# cp  /etc/kubernetes/kubeconfig
# systemctl start kubelet
# oc get csr
csr-9djn9   37s     system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Pending

# oc adm certificate approve csr-9djn9

tunggu beberapa waktu, biasa akan muncul satu sertifikat lagi dari node yg bermasalah

# oc get csr
csr-6gb68   5s      system:node:master-00.example.com          Pending
csr-9djn9   115s    system:serviceaccount:openshift-machine-config-operator:node-bootstrapper   Approved,Issued

#oc adm certificate approve csr-6gb68

setelah itu cek kembali status node, pastikan statusnya Ready

Ref:

  • https://access.redhat.com/solutions/4923031
About the author
Alan Adi Prastyo

Routecloud Networks

Information about Server, Linux and Computer Network.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Routecloud Networks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.