Skip to content

Commit 4d65c98

Browse files
bergerhofferbergerhoffer
committed
OSDOCS-3366: Adding steps to check kubelet cert expirations
1 parent 39fc206 commit 4d65c98

File tree

1 file changed

+54
-4
lines changed

1 file changed

+54
-4
lines changed

modules/graceful-shutdown.adoc

Lines changed: 54 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -33,18 +33,68 @@ If your cluster fails to recover, follow the steps to restore to a previous clus
3333

3434
.Procedure
3535

36-
. If you are shutting the cluster down for an extended period, determine the date on which certificates expire.
36+
. If you plan to shut down the cluster for an extended period of time, determine the date that cluster certificates expire.
37+
+
38+
You must restart the cluster prior to the date that certificates expire. As the cluster restarts, the process might require you to manually approve the pending certificate signing requests (CSRs) to recover kubelet certificates.
39+
40+
.. Check the expiration date for the `kube-apiserver-to-kubelet-signer` CA certificate:
41+
+
42+
[source,terminal]
43+
----
44+
$ oc -n openshift-kube-apiserver-operator get secret kube-apiserver-to-kubelet-signer -o jsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}{"\n"}'
45+
----
46+
+
47+
.Example output
48+
[source,terminal]
49+
----
50+
2023-08-05T14:37:50Z
51+
----
52+
53+
.. Check the expiration date for the kubelet certificates:
54+
55+
... Start a debug session for a control plane node by running the following command:
56+
+
57+
[source,terminal]
58+
----
59+
$ oc debug node/<node_name>
60+
----
61+
62+
... Change your root directory to `/host` by running the following command:
3763
+
3864
[source,terminal]
3965
----
40-
$ oc -n openshift-kube-apiserver-operator get secret kube-apiserver-to-kubelet-signer -o jsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}'
66+
sh-4.4# chroot /host
67+
----
68+
69+
... Check the kubelet client certificate expiration date by running the following command:
70+
+
71+
[source,terminal]
72+
----
73+
sh-5.1# openssl x509 -in /var/lib/kubelet/pki/kubelet-client-current.pem -noout -enddate
74+
----
75+
+
76+
.Example output
77+
[source,terminal]
78+
----
79+
notAfter=Jun 6 10:50:07 2023 GMT
80+
----
81+
82+
... Check the kubelet server certificate expiration date by running the following command:
83+
+
84+
[source,terminal]
85+
----
86+
sh-5.1# openssl x509 -in /var/lib/kubelet/pki/kubelet-server-current.pem -noout -enddate
4187
----
4288
+
4389
.Example output
90+
[source,terminal]
4491
----
45-
2022-08-05T14:37:50Zuser@user:~ $ <1>
92+
notAfter=Jun 6 10:50:07 2023 GMT
4693
----
47-
<1> To ensure that the cluster can restart gracefully, plan to restart it on or before the specified date. As the cluster restarts, the process might require you to manually approve the pending certificate signing requests (CSRs) to recover kubelet certificates.
94+
95+
... Exit the debug session.
96+
97+
... Repeat these steps to check certificate expiration dates on all control plane nodes. To ensure that the cluster can restart gracefully, plan to restart it before the earliest certificate expiration date.
4898

4999
. Shut down all of the nodes in the cluster. You can do this from your cloud provider's web console, or run the following loop:
50100
+

0 commit comments

Comments
 (0)