Update k8s cluster certificate

Each component constitute Kubernetes communicates through an internal certificate. Follow the procedure below if the k8s cluster certificate needs to be updated.

1.First, delete the existing certificates for each master and worker node.

# ssh to master node
# rm -rf /opt/kubernetes/pki
# rm -rf /etc/kubernetes/pki

2.Regenerate the certificate.

Update the certificate by running cert.yaml in the directory where the installation was previously performed.

Enter the IP or DNS to be added at IP.N in openssl.conf.

# vi cubescripts/roles/sslcert/openssl.conf.j2
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.{{ cluster_name }}
DNS.5 = {{ domain_name }}
DNS.6 = *.{{ domain_name }}
DNS.7 = localhost
{% if cloud_provider == 'azure' or cloud_provider == 'aws' -%}
DNS.8 = {{ lb_ip }}
{% endif -%}
IP.1 = 127.0.0.1
IP.2 = {{ kubernetes_service_ip }}
{% if cloud_provider == 'baremetal' or cloud_provider == 'rovius' or cloud_provider == 'virtualbox' -%}
IP.3 = {{ lb_ip }}
IP.4 = 14.52.93.202
{% endif -%}


# ansible-playbook -i inventories/inventory -u {userId} cert.yaml

3.Delete all default tokens generated in k8s.

# kubectl get secrets --all-namespaces | grep default-token | awk '{print $1, $2}' | xargs -n 2 kubectl delete secrets -n

4.Reboot in a worker node -> master node order.

# reboot