Cert update (#41)

* update cert instruction docs
wireapp · Mar 30, 2020 · b352c83 · b352c83
1 parent d3bc284
commit b352c83
Showing 1 changed file with 36 additions and 11 deletions.
diff --git a/.../administrate/kubernetes/certificate-renewal/scenario-1_k8s-v1.14-kubespray.rst b/.../administrate/kubernetes/certificate-renewal/scenario-1_k8s-v1.14-kubespray.rst
@@ -126,9 +126,9 @@ renewed. This can be confirmed, by executing parts of (1).*
 
 .. code:: bash
 
-   kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > admin.conf
-   kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > controller-manager.conf
-   kubeadm alpha kubeconfig user --client-name system:kube-scheduler > scheduler.conf
+   kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin  > /etc/kubernetes/admin.conf
+   kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf
+   kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf
 
 *Again, check if ownership and permission for these files are the same
 as all the others around them.*
@@ -163,13 +163,14 @@ c) Remove old certificates and configuration
 
 ::
 
-   rm -rf /var/lib/kubelet/pki/*
+   mv /var/lib/kubelet/pki{,old}
+   mkdir /var/lib/kubelet/pki
 
 d) Generate new kubeconfig file for the kubelet
 
 ::
 
-   kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > kubelet.conf
+   kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf
 
 e) Start kubelet again
 
@@ -191,15 +192,39 @@ g) Allow workload to be scheduled again on the node
 
 7. Copy certificates over to all the other nodes
 
+Option A - you can ssh from one kubernetes node to another
+
 .. code:: bash
 
-   scp ./ssl/apiserver.* root@kubenode02:/etc/kubernetes/ssl/
-   scp ./ssl/apiserver.* root@kubenode03:/etc/kubernetes/ssl/
+   # set the ip or hostname:
+   export NODE2=root@ip-or-hostname
+   export NODE3=...
+
+   scp ./ssl/apiserver.* "${NODE2}:/etc/kubernetes/ssl/"
+   scp ./ssl/apiserver.* "${NODE3}:/etc/kubernetes/ssl/"
+
+   scp ./ssl/apiserver-kubelet-client.* "${NODE2}:/etc/kubernetes/ssl/"
+   scp ./ssl/apiserver-kubelet-client.* "${NODE3}:/etc/kubernetes/ssl/"
+
+   scp ./ssl/front-proxy-client.* "${NODE2}:/etc/kubernetes/ssl/"
+   scp ./ssl/front-proxy-client.* "${NODE3}:/etc/kubernetes/ssl/"
+
+Option B - copy via local administrator's machine
+
+.. code:: bash
+
+   # set the ip or hostname:
+   export NODE1=root@ip-or-hostname
+   export NODE2=
+   export NODE3=
+
+   scp -3 "${NODE1}:/etc/kubernetes/ssl/apiserver.*" "${NODE2}:/etc/kubernetes/ssl/"
+   scp -3 "${NODE1}:/etc/kubernetes/ssl/apiserver.*" "${NODE3}:/etc/kubernetes/ssl/"
 
-   scp ./ssl/apiserver-kubelet-client.* root@kubenode02:/etc/kubernetes/ssl/
-   scp ./ssl/apiserver-kubelet-client.* root@kubenode03:/etc/kubernetes/ssl/
+   scp -3 "${NODE1}:/etc/kubernetes/ssl/apiserver-kubelet-client.*" "${NODE2}:/etc/kubernetes/ssl/"
+   scp -3 "${NODE1}:/etc/kubernetes/ssl/apiserver-kubelet-client.*" "${NODE3}:/etc/kubernetes/ssl/"
 
-   scp ./ssl/front-proxy-client.* root@kubenode02:/etc/kubernetes/ssl/
-   scp ./ssl/front-proxy-client.* root@kubenode03:/etc/kubernetes/ssl/
+   scp -3 "${NODE1}:/etc/kubernetes/ssl/front-proxy-client.*" "${NODE2}:/etc/kubernetes/ssl/"
+   scp -3 "${NODE1}:/etc/kubernetes/ssl/front-proxy-client.*" "${NODE3}:/etc/kubernetes/ssl/"
 
 8. Continue again with (4) for each node that is left