Renewing your Kubernetes Certificate
The following is a procedure for renewing the Sisense deployed Kubernetes certificate using the Sisense Kubespray deployment. Note that this procedure is not applicable to the RKE deployment.
Kubernetes-internal certificates expire after one year. If you do not renew your certificate, Sisense ceases to
function and you get the following error: "Part of the existing bootstrap client certificate expired".
You can verify when your certificate will expire by running the following command on your master node:
openssl x509 -enddate -noout -in "/etc/kubernetes/ssl/apiserver.crt"
openssl x509 -enddate -noout -in "/etc/kubernetes/ssl/ca.crt"
openssl x509 -enddate -noout -in "/etc/kubernetes/ssl/apiserver.crt"
openssl x509 -enddate -noout -in "/etc/kubernetes/ssl/ca.crt"
You have several options for renewing your certificate. The easiest way is to Backing up and Restoring Sisense Sisense, uninstall your clusters, and then re-install Sisense.
A second option is to back up Sisense, install Sisense in a new environment, and then restore your back up.
To renew your certificate on the existing server
- Perform a full backup of Sisense. Refer to Backing up and Restoring Sisense.
- Backup and replace your certificates with the following commands on each master node; do not use the root account
- you can use sudo whenever it is needed:
cp -R /etc/kubernetes/ssl /etc/kubernetes/ssl.backup
cp /etc/kubernetes/admin.conf /etc/kubernetes/admin.conf.backup
cp /etc/kubernetes/controller-manager.conf /etc/kubernetes/controller-manager.conf.backup
cp /etc/kubernetes/kubelet.conf /etc/kubernetes/kubelet.conf.backup
cp /etc/kubernetes/scheduler.conf /etc/kubernetes/scheduler.conf.backup
- Run the following commands to renew certificates:
kubeadm alpha certs renew apiserver-kubelet-client
kubeadm alpha certs renew apiserver
kubeadm alpha certs renew front-proxy-client
kubeadm alpha kubeconfig user --client-name system:kube-controller-manager >
/etc/kubernetes/controller-manager.conf
kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
kubeadm alpha kubeconfig user --client-name system:node:$(hostname) --org system:nodes >
/etc/kubernetes/kubelet.conf - Regenerate the Admin certificate:
kubeadm alpha kubeconfig user --client-name kubernetes-admin --org system:masters > /etc/kubernetes/admin.conf
cp /etc/kubernetes/admin.conf ~/.kube/config - Restart the following processes:
sudo docker ps | egrep -i "kube-apiserver|kube-controller-manager|kube-scheduler" | grep -i k8s_pod | awk
'{print$1}' | xargs docker rm -fIf this step ends in an error, and processes are not able to restart properly, try to restart the node. If that does not work, uninstall Sisense (including Kubernetes) and reinstall.
- Restart the kubelet service:
sudo systemctl restart kubelet
- Ensure that the processes were restarted properly (verify their uptime is from now):
sudo docker ps | egrep -i "kube-apiserver|kube-controller-manager|kube-scheduler"
- Check the certificate new expiration dates:
openssl x509 -enddate -noout -in "/etc/kubernetes/ssl/apiserver.crt"
openssl x509 -enddate -noout -in "/etc/kubernetes/ssl/ca.crt" - After renewing and applying certificates on your master nodes, if the worker node is still in a NotReady state, perform the following:
- Execute kubeadm token create --print-join-command on a ready master node.
- Copy the output and run it on the not ready worker node.
- Restart the kubelet service:
systemctl restart kubelet
.
-
If the overall renewal process does not work you will have to uninstall Sisense (including Kubernetes) and reinstall it.
Uninstalling Sisense:
- Edit your installation config file
- Make sure "update" is false, and set uninstall cluster/uninstall sisense to true
- Make sure "remove user data" is false.
- Run the installation script to uninstall as follows with a NON-root user or sudo:
./sisense.sh <config file name>.yaml
Reinstall Sisense:
- Edit your installation config file
- Make sure "update" is false
- Set "uninstall cluster/uninstall sisense" to false
- Run the installation as follows with a NON-root user or sudo:
./sisense.sh <config file name>.yaml
- Edit your installation config file