Question 22 - Check Certificate Validity

Question 22 | Check how long certificates are valid

Use context: kubectl config use-context k8s-c2-AC

Check how long the kube-apiserver server certificate is valid on cluster2-controlplane1. Do this with openssl or cfssl. Write the exipiration date into /opt/course/22/expiration.

Also run the correct kubeadm command to list the expiration dates and confirm both methods show the same date.

Write the correct kubeadm command that would renew the apiserver server certificate into /opt/course/22/kubeadm-renew-certs.sh.

---

# First let's find that certificate:

ssh cluster2-controlplane1

root@cluster2-controlplane1:~# find /etc/kubernetes/pki | grep apiserver

/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.key
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver.key
/etc/kubernetes/pki/apiserver-kubelet-client.key

# Let's use openssl command to evaluate the certificates

root@cluster2-controlplane1:~# openssl x509  -noout -text -in /etc/kubernetes/pki/apiserver.crt | grep Validity -A2

        Validity
            Not Before: Dec 20 18:05:20 2022 GMT
            Not After : Dec 20 18:05:20 2023 GMT

echo "Dec 20 18:05:20 2023 GMT" > /opt/course/22/expiration

# You can also use kubeadm to check the certificates

root@cluster2-controlplane1:~# kubeadm certs check-expiration | grep apiserver
apiserver                Jan 14, 2022 18:49 UTC   363d        ca               no
apiserver-etcd-client    Jan 14, 2022 18:49 UTC   363d        etcd-ca          no
apiserver-kubelet-client Jan 14, 2022 18:49 UTC   363d        ca               no

# /opt/course/22/kubeadm-renew-certs.sh
kubeadm certs renew apiserver

# If you run again, you'll see the renewed certificates
root@cluster2-controlplane1:~# kubeadm certs check-expiration | grep apiserver