Manually Replace Kubernetes Cluster Certificates deployed by Container Service Extension.

search cancel

book

calendar_today

VMware Cloud Director

Certificates on the Kubernetes Cluster Node deployed by Container Service Extension (CSE) have expired.

Kubernetes has a default certificate expiration time of 1 year. VMware by Broadcom products adhere to this certificate expiration timeframe.

Follow these steps to manually renew certificates:

Login as root via SSH or VM console to each control plane node VM of the Kubernetes cluster.
NOTE: Verify the auto generated root password by opening the control plane node VM in the VCD UI and opening Guest OS Customization > Edit.
Check the current certificates-expiration date by using the 'kubeadm certs check-expiration' command on each primary node of your cluster:
kubeadm certs check-expiration
To renew the certificates, use the 'kubeadm certs renew all' command on each primary node of your Kubernetes cluster:
kubeadm certs renew all
Recheck the expiration date using the 'kubeadm certs check-expiration command' on each primary node of your cluster:
kubeadm certs check-expiration
Download the Kubernetes cluster's kubeconfg file from the VCD UI from Kubernetes Container Clusters > select Kubernetes cluster > Download Kube Config.
Move the downloaded kubeconfg file to a client with kubectl installed and export it for use in kubectl commands:
export KUBECONFIG=/<path_to_kubeconfig>/<kubeconfig_file_name>
Restart the following control plane pods after the certificate renewal using the commands:
kubectl get pods -n kube-system
kubectl -n kube-system delete pod -l 'component=kube-apiserver'
kubectl -n kube-system delete pod -l 'component=etcd'
kubectl -n kube-system delete pod -l 'component=kube-scheduler'
kubectl -n kube-system delete pod -l 'component=kube-controller-manager'

NOTE-Please refer the following documentation for more information:

thumb_up Yes

thumb_down No