Renew RCM Kubernetes Certificates

Available Languages

Download Options

  • PDF     (40.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (78.8 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (64.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:November 17, 2022
Document ID:218431

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure to renew Kubernetes certificates in Cisco 5G RCM(Redundancy Configuration Manager).

    Prerequisite

    If it is RCM High Availability setup, the procedure must be executed on standby RCM first, then perform a switchover, and run the procedure on new standby RCM. If no RCM High Availability is available, UP redundancy is not available during RCM reboot which is part of certificates renewal process.

    Check if the certificates are expired

    To make sure if certificates are expired, run sudo kubeadm alpha certs check-expiration.

    ubuntu@rcm:~$ sudo kubeadm alpha certs check-expiration
    CERTIFICATE               EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
    admin.conf                Oct 31, 2024 03:34 UTC   <invalid>       no
    apiserver                 Oct 31, 2024 03:34 UTC   <invalid>       no
    apiserver-etcd-client     Oct 31, 2024 03:34 UTC   <invalid>       no
    apiserver-kubelet-client  Oct 31, 2024 03:34 UTC   <invalid>       no
    controller-manager.conf   Oct 31, 2024 03:34 UTC   <invalid>       no
    etcd-healthcheck-client   Oct 31, 2024 03:34 UTC   <invalid>       no
    etcd-peer                 Oct 31, 2024 03:34 UTC   <invalid>       no
    etcd-server               Oct 31, 2024 03:34 UTC   <invalid>       no
    front-proxy-client        Oct 31, 2024 03:34 UTC   <invalid>       no
    scheduler.conf            Oct 31, 2024 03:34 UTC   <invalid>       no

    Renew the certificates

    Run sudo kubeadm alpha certs renew all to renew the certificates.

    ubuntu@rcm:~$ sudo kubeadm alpha certs renew all
    certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
    certificate for serving the Kubernetes API renewed
    certificate the apiserver uses to access etcd renewed
    certificate for the API server to connect to kubelet renewed
    certificate embedded in the kubeconfig file for the controller manager to use renewed
    certificate for liveness probes to healtcheck etcd renewed
    certificate for etcd nodes to communicate with each other renewed
    certificate for serving etcd renewed
    certificate for the front proxy client renewed
    certificate embedded in the kubeconfig file for the scheduler manager to use renewed

    Check again if the certificates are renewed

    Run sudo kubeadm alpha certs check-expiration to check if the certificates are renewed.

    ubuntu@rcm:~$ sudo kubeadm alpha certs check-expiration
    CERTIFICATE               EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
    admin.conf                Nov 01, 2025 03:34 UTC   364d            no
    apiserver                 Nov 01, 2025 03:34 UTC   364d            no
    apiserver-etcd-client     Nov 01, 2025 03:34 UTC   364d            no
    apiserver-kubelet-client  Nov 01, 2025 03:34 UTC   364d            no
    controller-manager.conf   Nov 01, 2025 03:34 UTC   364d            no
    etcd-healthcheck-client   Nov 01, 2025 03:34 UTC   364d            no
    etcd-peer                 Nov 01, 2025 03:34 UTC   364d            no
    etcd-server               Nov 01, 2025 03:34 UTC   364d            no
    front-proxy-client        Nov 01, 2025 03:34 UTC   364d            no
    scheduler.conf            Nov 01, 2025 03:34 UTC   364d            no

    Modify kubelet.conf

    Prior to kubeadm version 1.17, there is a need to manually modify kubelet.conf. Replace client-certificate-data and client-key-data with this.

    /etc/kubernetes/kubelet.conf

    client-certificate:/var/lib/kubelet/pki/kubelet-client-current.pem
    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem

    Copy admin.conf

    Copy admin.conf to overwrite .kube/config.

    sudo cp /etc/kubernetes/admin.conf ~/.kube/config

    Reboot the system

    sudo reboot

    Make sure if kubectl command works

    After the reboot, make sure if kubectl command works fine.

    ubuntu@rcm:~$ kubectl get node
    NAME   STATUS   ROLES       AGE   VERSION
    rcm    Ready    master,oam  16d   v1.15.12

    Revision History

    Revision Publish Date Comments
    1.0
    17-Nov-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Tomonobu Okada
      Cisco TAC Engineer
    • Yasuaki Nambu
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products