When the certificate for a k8s manager account has expired, create a new key request for the same CN and sign it against the k8s CA:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | #!/bin/bash# Run this from the K8s controller where the platform's CA keys are locatedcd ~/kubectl_cert/# Get the current yearcurrent_year=$(date +%Y)# Generate private keyopenssl genpkey -algorithm RSA -out kubectl-${current_year}-k8admin-key.pem# Generate CSRopenssl req -new -key kubectl-${current_year}-k8admin-key.pem -out kubectl-${current_year}-k8admin.csr -subj "/O=system:masters/CN=kubernetes-admin"# Sign the CSR to create a certificateopenssl x509 -req -in kubectl-${current_year}-k8admin.csr -CA /etc/kubernetes/pki/ca.crt -CAkey /etc/kubernetes/pki/ca.key -CAcreateserial -out kubectl-${current_year}-k8admin-cert.pem -days 365 -extensions v3_req# Check expiry is in futureopenssl x509 -in kubectl-${current_year}-k8admin-cert.pem -noout -enddate# Update kubeconfig with new credentialskubectl config set-credentials kubernetes-admin --client-certificate=~/kubectl_cert/kubectl-${current_year}-k8admin-cert.pem --client-key=~/kubectl_cert/kubectl-${current_year}-k8admin-key.pem |