Normally a Kubernetes environment is well maintained and regularly updated with the most recent versions of Kubernetes. However, with a Kubernetes environment that is just used as an HCL Connections Component pack installation, this might not be on your radar and it’s easy to let it just run unattended. If you do that for too long though, like longer than one year, you’ll get into trouble, which looks like this error message:
[authentication.go:64] Unable to authenticate the request due to an error: [x509: certificate has expired or is not yet valid, x509: certificate has expired or is not yet valid]
By default the internal Kubernetes certificates are valid for one year only. They will be renewed on upgrading your Kubernetes environment. But if you forget to do that, your certificate will expire and you will no longer be able to manage your environment.
Luckily, since version 1.15 Kubernetes has some functions to help you.
kubeadm alpha certs check-expiration
Will show you what the expiration date is of your Kubernetes certificates. This will look something like:
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED admin.conf Dec 06, 2022 16:06 UTC 364d no apiserver Dec 06, 2022 16:06 UTC 364d ca no apiserver-etcd-client Dec 06, 2022 16:06 UTC 364d etcd-ca no apiserver-kubelet-client Dec 06, 2022 16:06 UTC 364d ca no controller-manager.conf Dec 06, 2022 16:06 UTC 364d no etcd-healthcheck-client Dec 06, 2022 16:06 UTC 364d etcd-ca no etcd-peer Dec 06, 2022 16:06 UTC 364d etcd-ca no etcd-server Dec 06, 2022 16:06 UTC 364d etcd-ca no front-proxy-client Dec 06, 2022 16:06 UTC 364d front-proxy-ca no scheduler.conf Dec 06, 2022 16:06 UTC 364d no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca Nov 10, 2030 12:07 UTC 8y no etcd-ca Nov 10, 2030 12:07 UTC 8y no front-proxy-ca Nov 10, 2030 12:07 UTC 8y no
If your certificates have expired, your residual time will of course be zero. To renew your certificates, you can use:
kubeadm alpha certs renew all
This will renew all certificates of your kubernetes environment, including the admin config file (/etc/kubernetes/admin.conf). This latter file, you need to copy to ~/.kube/config on all nodes to be able to use kubectl commands from that node. After renewing the certificates, you will need to reboot your master and workers.
As said, this is not the preferred way to do this. The preferred way is to regularly upgrade your Kubernetes environment, so you will never have expiring certificates for your environment.