Pregunta 22 - Verificar Validez de Certificados

Question 22 | Check how long certificates are valid

Use context: kubectl config use-context k8s-c2-AC

Check how long the kube-apiserver server certificate is valid on cluster2-controlplane1. Do this with openssl or cfssl. Write the exipiration date into /opt/course/22/expiration.

Also run the correct kubeadm command to list the expiration dates and confirm both methods show the same date.

Write the correct kubeadm command that would renew the apiserver server certificate into /opt/course/22/kubeadm-renew-certs.sh.

---

# First let's find that certificate:

ssh cluster2-controlplane1

root@cluster2-controlplane1:~# find /etc/kubernetes/pki | grep apiserver

/etc/kubernetes/pki/apiserver.crt
/etc/kubernetes/pki/apiserver-etcd-client.crt
/etc/kubernetes/pki/apiserver-etcd-client.key
/etc/kubernetes/pki/apiserver-kubelet-client.crt
/etc/kubernetes/pki/apiserver.key
/etc/kubernetes/pki/apiserver-kubelet-client.key

# vamos a usar el comando openssl para evaluar los certificados

root@cluster2-controlplane1:~# openssl x509  -noout -text -in /etc/kubernetes/pki/apiserver.crt | grep Validity -A2

        Validity
            Not Before: Dec 20 18:05:20 2022 GMT
            Not After : Dec 20 18:05:20 2023 GMT

echo "Dec 20 18:05:20 2023 GMT" > /opt/course/22/expiration

# Se puede usar el kubeadm también para verificar los certificados

root@cluster2-controlplane1:~# kubeadm certs check-expiration | grep apiserver
apiserver                Jan 14, 2022 18:49 UTC   363d        ca               no
apiserver-etcd-client    Jan 14, 2022 18:49 UTC   363d        etcd-ca          no
apiserver-kubelet-client Jan 14, 2022 18:49 UTC   363d        ca               no

# /opt/course/22/kubeadm-renew-certs.sh
kubeadm certs renew apiserver

# Si ejecutamos nuevamente podremos ver los certificados renovados
root@cluster2-controlplane1:~# kubeadm certs check-expiration | grep apiserver