Kubernetes: Renewing Client Admin Cert

When the certificate for a k8s manager account has expired, create a new key request for the same CN and sign it against the k8s CA:

#!/bin/bash
# Run this from the K8s controller where the platform's CA keys are located
cd ~/kubectl_cert/

# Get the current year
current_year=$(date +%Y)

# Generate private key
openssl genpkey -algorithm RSA -out kubectl-${current_year}-k8admin-key.pem

# Generate CSR
openssl req -new -key kubectl-${current_year}-k8admin-key.pem -out kubectl-${current_year}-k8admin.csr -subj "/O=system:masters/CN=kubernetes-admin"

# Sign the CSR to create a certificate
openssl x509 -req -in kubectl-${current_year}-k8admin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out kubectl-${current_year}-k8admin-cert.pem -days 365 -extensions v3_req

# Check expiry is in future
openssl x509 -in kubectl-${current_year}-k8admin-cert.pem -noout -enddate

# Update kubeconfig with new credentials
kubectl config set-credentials kubernetes-admin --client-certificate=~/kubectl_cert/kubectl-${current_year}-k8admin-cert.pem --client-key=~/kubectl_cert/kubectl-${current_year}-k8admin-key.pem

Leave a Reply

Your email address will not be published. Required fields are marked *