From 85ce68ccff9183a9bd2c8969da2f28363985d1bd Mon Sep 17 00:00:00 2001 From: Sai Date: Sat, 23 Mar 2024 14:16:30 -0400 Subject: [PATCH 01/17] added instructions to update kubeconfig --- .../security/manually-renew-certs.md | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 001155f83c26..5c4d8c9d3631 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -168,3 +168,74 @@ ${IMAGE_ID} tmp-cert-renew \ 5. Repeat the above steps for all control plane nodes. You can similarly use the above steps to rotate a single certificate instead of all certificates. + +#### Update kubeconfig on Admin machine + +Post completion of manual certificate rotation or if your Cluster was created more than a year ago, your kubeconfig file on Admin machine will have outdated certificates and would result in following error, + +``` +Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server. +This error typically occurs when the cluster certificates have been renewed or extended during the upgrade process. To resolve this issue, you need to update your local kubeconfig file with the new cluster credentials. +``` + +Follow below steps to update kubeconfig on Admin machine. + +1. SSH to one of the Control Plane nodes and run the following command to validate connection with API Server, export kubeconfig from `${CLUSTER_NAME}-kubeconfig` secret object (`eksa-system` namespace) using kubectl and copy kubeconfig file to `/tmp` directory. + +``` +ssh +``` + +{{< tabpane >}} +{{< tab header="Ubuntu or RHEL" lang="bash" >}} + +export CLUSTER_NAME="" + +cat /var/lib/kubeadm/admin.conf +export KUBECONFIG="/var/lib/kubeadm/admin.conf" + +kubectl get nodes -o wide +kubectl get secrets -A + +kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml > new-admin.kubeconfig + +cat new-admin.kubeconfig | base64 -d > /tmp/new-admin-decoded.kubeconfig + +{{< /tab >}} + +{{< tab header="Bottlerocket" lang="bash" >}} +# you would be in the admin container when you ssh to the Bottlerocket machine +# open a root shell +sudo sheltie + +export CLUSTER_NAME="" + +cat /var/lib/kubeadm/admin.conf +export KUBECONFIG="/var/lib/kubeadm/admin.conf" + +kubectl get nodes -o wide +kubectl get secrets -A + +cat new-admin.kubeconfig | base64 -d > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin-decoded.kubeconfig + +{{< /tab >}} +{{< /tabpane >}} + + +2. **SSH to Admin Machine**, download the kubeconfig file from ControlPlane to your Admin machine and access Kubernetes Cluster + +``` +ssh + +export CONTROLPLANE_IP="" +scp -i @${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig . + +# OR SFTP + +sftp -i @${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig . + +ls -ltr +export KUBECONFIG="new-admin-decoded.kubeconfig" + +kubectl get pods +``` From 8a212d73f36990876ec3d7e8d5e6370d694d0048 Mon Sep 17 00:00:00 2001 From: Sai Date: Sun, 31 Mar 2024 19:25:53 -0400 Subject: [PATCH 02/17] Updated active subscriptions deletion notes --- .../en/docs/clustermgmt/support/purchase-subscription.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/support/purchase-subscription.md b/docs/content/en/docs/clustermgmt/support/purchase-subscription.md index 4eadf44b9be5..66417a491e2a 100644 --- a/docs/content/en/docs/clustermgmt/support/purchase-subscription.md +++ b/docs/content/en/docs/clustermgmt/support/purchase-subscription.md @@ -184,7 +184,7 @@ aws eks tag-resource \ ## Delete Subscriptions ->**_NOTE_** Only inactive subscriptions can be deleted. Deleting inactive subscriptions removes them from the AWS Management Console view and API responses. +>**_NOTE_** Only inactive subscriptions can be deleted. Deleting inactive subscriptions removes them from the AWS Management Console view and API responses. To delete any Active Subscriptions, Please create a Support Case with AWS Support team. ### AWS Management Console From 8ee451c1f3730597fbdbec32e4483319a132b41d Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Thu, 23 May 2024 08:15:08 -0400 Subject: [PATCH 03/17] changes after review comments --- .../security/manually-renew-certs.md | 29 +++++-------------- 1 file changed, 8 insertions(+), 21 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 5c4d8c9d3631..f8b1853ee912 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -85,7 +85,7 @@ ${IMAGE_ID} tmp-cert-renew \ sudo etcdctl --cacert=/etc/etcd/pki/ca.crt --cert=/etc/etcd/pki/etcdctl-etcd-client.crt --key=/etc/etcd/pki/etcdctl-etcd-client.key member list {{< /tab >}} {{< tab header="Bottlerocket" lang="bash" >}} -ETCD_CONTAINER_ID=$(ctr -n k8s.io c ls | grep -w "etcd-io" | cut -d " " -f1) +ETCD_CONTAINER_ID=$(ctr -n k8s.io c ls | grep -w "etcd-io" | cut -d " " -f1 | tail -1) ctr -n k8s.io t exec -t --exec-id etcd ${ETCD_CONTAINER_ID} etcdctl \ --cacert=/var/lib/etcd/pki/ca.crt \ --cert=/var/lib/etcd/pki/server.crt \ @@ -151,7 +151,7 @@ ${IMAGE_ID} tmp-cert-renew \ {{< /tab >}} {{< /tabpane >}} -3. If you have external etcd nodes, manually replace the `api-server-etcd-client.crt` and `api-server-etcd-client.key` file in `/etc/kubernetes/pki` (or `/var/lib/kubeadm/pki` in Bottlerocket) folder with the files you saved from any etcd node. +3. If you have external etcd nodes, manually replace the `server-etcd-client.crt` and `apiserver-etcd-client.key` file in `/etc/kubernetes/pki` (or `/var/lib/kubeadm/pki` in Bottlerocket) folder with the files you saved from any etcd node. 4. Restart static control plane pods. @@ -169,16 +169,16 @@ ${IMAGE_ID} tmp-cert-renew \ You can similarly use the above steps to rotate a single certificate instead of all certificates. -#### Update kubeconfig on Admin machine +#### What do I do if my local kubeconfig has expired? -Post completion of manual certificate rotation or if your Cluster was created more than a year ago, your kubeconfig file on Admin machine will have outdated certificates and would result in following error, +Your local kubeconfig used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires you will receive the following error: ``` Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server. This error typically occurs when the cluster certificates have been renewed or extended during the upgrade process. To resolve this issue, you need to update your local kubeconfig file with the new cluster credentials. ``` -Follow below steps to update kubeconfig on Admin machine. +You can extract your new kubeconfig using the following steps. 1. SSH to one of the Control Plane nodes and run the following command to validate connection with API Server, export kubeconfig from `${CLUSTER_NAME}-kubeconfig` secret object (`eksa-system` namespace) using kubectl and copy kubeconfig file to `/tmp` directory. @@ -194,12 +194,9 @@ export CLUSTER_NAME="" cat /var/lib/kubeadm/admin.conf export KUBECONFIG="/var/lib/kubeadm/admin.conf" -kubectl get nodes -o wide -kubectl get secrets -A - kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml > new-admin.kubeconfig -cat new-admin.kubeconfig | base64 -d > /tmp/new-admin-decoded.kubeconfig +cat new-admin.kubeconfig > /tmp/new-admin-decoded.kubeconfig {{< /tab >}} @@ -208,21 +205,15 @@ cat new-admin.kubeconfig | base64 -d > /tmp/new-admin-decoded.kubeconfig # open a root shell sudo sheltie -export CLUSTER_NAME="" - cat /var/lib/kubeadm/admin.conf export KUBECONFIG="/var/lib/kubeadm/admin.conf" -kubectl get nodes -o wide -kubectl get secrets -A - -cat new-admin.kubeconfig | base64 -d > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin-decoded.kubeconfig +cat new-admin.kubeconfig > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin-decoded.kubeconfig {{< /tab >}} {{< /tabpane >}} - -2. **SSH to Admin Machine**, download the kubeconfig file from ControlPlane to your Admin machine and access Kubernetes Cluster +2. From your admin machine, download the kubeconfig file from the ControlPlane node and use it to access your Kubernetes Cluster. ``` ssh @@ -230,10 +221,6 @@ ssh export CONTROLPLANE_IP="" scp -i @${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig . -# OR SFTP - -sftp -i @${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig . - ls -ltr export KUBECONFIG="new-admin-decoded.kubeconfig" From 84e6df1ffca9412e24e56961e5c1c7855cc53b8b Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Thu, 23 May 2024 08:30:18 -0400 Subject: [PATCH 04/17] added br copy certs commands --- .../docs/clustermgmt/security/manually-renew-certs.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index f8b1853ee912..c295504e7498 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -153,6 +153,16 @@ ${IMAGE_ID} tmp-cert-renew \ 3. If you have external etcd nodes, manually replace the `server-etcd-client.crt` and `apiserver-etcd-client.key` file in `/etc/kubernetes/pki` (or `/var/lib/kubeadm/pki` in Bottlerocket) folder with the files you saved from any etcd node. + - **For Bottlerocket**: + + ``` + cp apiserver-etcd-client.key /tmp/ + cp server-etcd-client.crt /tmp/ + sudo sheltie + cp /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/apiserver-etcd-client.key /var/lib/kubeadm/pki/ + cp /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/server-etcd-client.crt /var/lib/kubeadm/pki/ + ``` + 4. Restart static control plane pods. - **For Ubuntu and RHEL**: temporarily move all manifest files from `/etc/kubernetes/manifests/` and wait for 20 seconds, then move the manifests back to this file location. From e0e0492fbe40bd12615dd130f3d3b49929cdd16d Mon Sep 17 00:00:00 2001 From: Sai Date: Thu, 23 May 2024 08:47:32 -0400 Subject: [PATCH 05/17] fix kubeconifg section --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 875161b388a0..86b471daf64b 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -230,7 +230,7 @@ etcd: - https://xxx.xxx.xxx.xxx:2379 ``` -#### What do I do if my local kubeconfig has expired? +### What do I do if my local kubeconfig has expired? Your local kubeconfig used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires you will receive the following error: From 6f33ca5b1a4f95c0be45ed724c60c8c08187fdce Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Thu, 23 May 2024 08:59:59 -0400 Subject: [PATCH 06/17] fixed kubeconfig naming --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 86b471daf64b..16c77905671f 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -270,7 +270,7 @@ sudo sheltie cat /var/lib/kubeadm/admin.conf export KUBECONFIG="/var/lib/kubeadm/admin.conf" -cat new-admin.kubeconfig > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin-decoded.kubeconfig +cat admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin.kubeconfig {{< /tab >}} {{< /tabpane >}} @@ -281,9 +281,9 @@ cat new-admin.kubeconfig > /run/host-containerd/io.containerd.runtime.v2.task/de ssh export CONTROLPLANE_IP="" -scp -i @${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig . +scp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . ls -ltr -export KUBECONFIG="new-admin-decoded.kubeconfig" +export KUBECONFIG="new-admin.kubeconfig" kubectl get pods From 5f1ee49c825676f48c8c52acc8edc8262d826887 Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Thu, 23 May 2024 09:03:54 -0400 Subject: [PATCH 07/17] fixed kubeconfig path --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 16c77905671f..4b2dd6415942 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -270,7 +270,7 @@ sudo sheltie cat /var/lib/kubeadm/admin.conf export KUBECONFIG="/var/lib/kubeadm/admin.conf" -cat admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin.kubeconfig +cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin.kubeconfig {{< /tab >}} {{< /tabpane >}} From cdb70b8b6466deb3fe8869a71e8c1c137a7153fb Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Fri, 31 May 2024 09:59:50 -0400 Subject: [PATCH 08/17] fixed grammer and syntax --- .../docs/clustermgmt/security/manually-renew-certs.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 4b2dd6415942..5b0b8aac421e 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -232,7 +232,7 @@ etcd: ### What do I do if my local kubeconfig has expired? -Your local kubeconfig used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires you will receive the following error: +Your local kubeconfig used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates, a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires, you will receive the following error: ``` Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server. @@ -244,7 +244,11 @@ You can extract your new kubeconfig using the following steps. 1. SSH to one of the Control Plane nodes and run the following command to validate connection with API Server, export kubeconfig from `${CLUSTER_NAME}-kubeconfig` secret object (`eksa-system` namespace) using kubectl and copy kubeconfig file to `/tmp` directory. ``` -ssh +ssh -i ec2-user@ + +OR + +ssh -i ubuntu@ ``` {{< tabpane >}} @@ -263,7 +267,7 @@ cat new-admin.kubeconfig > /tmp/new-admin-decoded.kubeconfig {{< tab header="Bottlerocket" lang="bash" >}} -# you would be in the admin container when you ssh to the Bottlerocket machine +# You would need to be in the admin container when you ssh to the Bottlerocket machine # open a root shell sudo sheltie From 46b4db181532fcfc8860915b5adf9a63acaf63d3 Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Fri, 31 May 2024 10:11:39 -0400 Subject: [PATCH 09/17] fixed username --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 5b0b8aac421e..3790ba2bef4e 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -244,11 +244,8 @@ You can extract your new kubeconfig using the following steps. 1. SSH to one of the Control Plane nodes and run the following command to validate connection with API Server, export kubeconfig from `${CLUSTER_NAME}-kubeconfig` secret object (`eksa-system` namespace) using kubectl and copy kubeconfig file to `/tmp` directory. ``` -ssh -i ec2-user@ +ssh -i @ # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine Operating System -OR - -ssh -i ubuntu@ ``` {{< tabpane >}} From d263a3e889d3f62417836f425bb39c3427725600 Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Mon, 3 Jun 2024 09:59:33 -0400 Subject: [PATCH 10/17] docs/ --- .../clustermgmt/security/manually-renew-certs.md | 13 +++++-------- .../clustermgmt/support/purchase-subscription.md | 2 +- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 3790ba2bef4e..15d091e746f6 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -153,7 +153,7 @@ ${IMAGE_ID} tmp-cert-renew \ {{< /tab >}} {{< /tabpane >}} -3. If you have external etcd nodes, manually replace the `server-etcd-client.crt` and `apiserver-etcd-client.key` file in `/etc/kubernetes/pki` (or `/var/lib/kubeadm/pki` in Bottlerocket) folder with the files you saved from any etcd node. +3. If you have external etcd nodes, manually replace the `server-etcd-client.crt` and `apiserver-etcd-client.key` files in the `/etc/kubernetes/pki` (or `/var/lib/kubeadm/pki` in Bottlerocket) folder with the files you saved from any etcd node. - **For Bottlerocket**: @@ -232,7 +232,7 @@ etcd: ### What do I do if my local kubeconfig has expired? -Your local kubeconfig used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates, a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires, you will receive the following error: +Your local kubeconfig, used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates, a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires, you will receive the following error: ``` Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server. @@ -241,7 +241,7 @@ This error typically occurs when the cluster certificates have been renewed or e You can extract your new kubeconfig using the following steps. -1. SSH to one of the Control Plane nodes and run the following command to validate connection with API Server, export kubeconfig from `${CLUSTER_NAME}-kubeconfig` secret object (`eksa-system` namespace) using kubectl and copy kubeconfig file to `/tmp` directory. +1. You can extract your new kubeconfig by SSHing to one of the Control Plane nodes, exporting kubeconfig from the secret object, and copying kubeconfig file to `/tmp` directory, as shown here: ``` ssh -i @ # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine Operating System @@ -256,9 +256,7 @@ export CLUSTER_NAME="" cat /var/lib/kubeadm/admin.conf export KUBECONFIG="/var/lib/kubeadm/admin.conf" -kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml > new-admin.kubeconfig - -cat new-admin.kubeconfig > /tmp/new-admin-decoded.kubeconfig +kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml > /tmp/new-admin-decoded.kubeconfig {{< /tab >}} @@ -269,7 +267,6 @@ cat new-admin.kubeconfig > /tmp/new-admin-decoded.kubeconfig sudo sheltie cat /var/lib/kubeadm/admin.conf -export KUBECONFIG="/var/lib/kubeadm/admin.conf" cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin.kubeconfig @@ -281,7 +278,7 @@ cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2. ``` ssh -export CONTROLPLANE_IP="" +export CONTROLPLANE_IP="" scp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . ls -ltr diff --git a/docs/content/en/docs/clustermgmt/support/purchase-subscription.md b/docs/content/en/docs/clustermgmt/support/purchase-subscription.md index 66417a491e2a..e5aa699a15e8 100644 --- a/docs/content/en/docs/clustermgmt/support/purchase-subscription.md +++ b/docs/content/en/docs/clustermgmt/support/purchase-subscription.md @@ -184,7 +184,7 @@ aws eks tag-resource \ ## Delete Subscriptions ->**_NOTE_** Only inactive subscriptions can be deleted. Deleting inactive subscriptions removes them from the AWS Management Console view and API responses. To delete any Active Subscriptions, Please create a Support Case with AWS Support team. +>**_NOTE_** Only inactive subscriptions can be deleted. Deleting inactive subscriptions removes them from the AWS Management Console view and API responses. To delete any Active Subscriptions, please create a Support Case with AWS Support team. ### AWS Management Console From 3c82cca1413715798d55a2cc88fbce79944a19a9 Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Mon, 3 Jun 2024 10:13:48 -0400 Subject: [PATCH 11/17] switch to sftp - avail by default in ubuntu and bt --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 15d091e746f6..8304163648d0 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -279,7 +279,7 @@ cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2. ssh export CONTROLPLANE_IP="" -scp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . +sftp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . ls -ltr export KUBECONFIG="new-admin.kubeconfig" From 9ff20978cacb995895200eaa0b286de2a043e448 Mon Sep 17 00:00:00 2001 From: Sai Teja Penugonda Date: Mon, 3 Jun 2024 10:16:22 -0400 Subject: [PATCH 12/17] added username comment --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 8304163648d0..248e300c83de 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -279,7 +279,7 @@ cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2. ssh export CONTROLPLANE_IP="" -sftp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . +sftp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine ls -ltr export KUBECONFIG="new-admin.kubeconfig" From e5f96f347bd39dcc803c4eb33b80e6b89ad1ea02 Mon Sep 17 00:00:00 2001 From: Veronica4036 <60287165+Veronica4036@users.noreply.github.com> Date: Tue, 4 Jun 2024 18:57:54 +0530 Subject: [PATCH 13/17] fixed kubeconfig user naming for BR --- .../clustermgmt/security/manually-renew-certs.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 248e300c83de..0041f64871ff 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -256,7 +256,7 @@ export CLUSTER_NAME="" cat /var/lib/kubeadm/admin.conf export KUBECONFIG="/var/lib/kubeadm/admin.conf" -kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml > /tmp/new-admin-decoded.kubeconfig +kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml -o=jsonpath="{.data.value}" | base64 --decode > /tmp/user-admin.kubeconfig {{< /tab >}} @@ -268,7 +268,17 @@ sudo sheltie cat /var/lib/kubeadm/admin.conf -cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin.kubeconfig +cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/kubernetes-admin.kubeconfig +exit # exit from the sudo sheltie container + +export CLUSTER_NAME="" +export KUBECONFIG="/tmp/kubernetes-admin.kubeconfig" +kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml -o=jsonpath="{.data.value}" | base64 --decode > /tmp/user-admin.kubeconfig +exit # exit from the Control Plane Machine + +{{< /tab >}} +{{< /tabpane >}} +Note: Install kubectl on the Control Plane Machine using the instructions [here](https://anywhere.eks.amazonaws.com/docs/getting-started/install/#manually-macos-and-linux) {{< /tab >}} {{< /tabpane >}} @@ -279,7 +289,7 @@ cat /var/lib/kubeadm/admin.conf > /run/host-containerd/io.containerd.runtime.v2. ssh export CONTROLPLANE_IP="" -sftp -i @${CONTROLPLANE_IP}:/tmp/new-admin.kubeconfig . # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine +sftp -i @${CONTROLPLANE_IP}:/tmp/user-admin.kubeconfig . # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine ls -ltr export KUBECONFIG="new-admin.kubeconfig" From 2aa2e0c18089be2a95faf9a41b1dbf110b57a9a8 Mon Sep 17 00:00:00 2001 From: Veronica4036 <60287165+Veronica4036@users.noreply.github.com> Date: Tue, 4 Jun 2024 19:02:28 +0530 Subject: [PATCH 14/17] Update manually-renew-certs.md --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 0041f64871ff..c0305199d137 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -292,6 +292,6 @@ export CONTROLPLANE_IP="" sftp -i @${CONTROLPLANE_IP}:/tmp/user-admin.kubeconfig . # USER_NAME should be ec2-user for bottlerocket, ubuntu for Ubuntu ControlPlane machine ls -ltr -export KUBECONFIG="new-admin.kubeconfig" +export KUBECONFIG="user-admin.kubeconfig" kubectl get pods From 4907a680da533bbe1feea9c6d58eda5cbfd5f2b7 Mon Sep 17 00:00:00 2001 From: Sai Date: Thu, 6 Jun 2024 16:59:58 -0400 Subject: [PATCH 15/17] Update docs/content/en/docs/clustermgmt/security/manually-renew-certs.md Co-authored-by: Chris Negus --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index c0305199d137..50f91a471142 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -232,7 +232,7 @@ etcd: ### What do I do if my local kubeconfig has expired? -Your local kubeconfig, used to interact with the cluster contains a certificate that expires after 1 year. When you rotate cluster certificates, a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires, you will receive the following error: +Your local kubeconfig, used to interact with the cluster, contains a certificate that expires after 1 year. When you rotate cluster certificates, a new kubeconfig with a new certificate is created as a Secret in the cluster. If you do not retrieve the new kubeconfig and your local kubeconfig certificate expires, you will receive the following error: ``` Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server. From a548fcea8b800bb8e19512a0f986f51f27b61096 Mon Sep 17 00:00:00 2001 From: Sai Date: Fri, 7 Jun 2024 12:54:05 -0400 Subject: [PATCH 16/17] addition new line to fix syntax --- .../content/en/docs/clustermgmt/security/manually-renew-certs.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 50f91a471142..7cb0f1fa7c58 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -84,6 +84,7 @@ ${IMAGE_ID} tmp-cert-renew \ {{< tab header="Ubuntu or RHEL" lang="bash" >}} sudo etcdctl --cacert=/etc/etcd/pki/ca.crt --cert=/etc/etcd/pki/etcdctl-etcd-client.crt --key=/etc/etcd/pki/etcdctl-etcd-client.key member list {{< /tab >}} + {{< tab header="Bottlerocket" lang="bash" >}} ETCD_CONTAINER_ID=$(ctr -n k8s.io c ls | grep -w "etcd-io" | cut -d " " -f1 | tail -1) ctr -n k8s.io t exec -t --exec-id etcd ${ETCD_CONTAINER_ID} etcdctl \ From 0cede55c8cf2074c6da1d72d7a4df1cb2ba0c273 Mon Sep 17 00:00:00 2001 From: Sai Date: Fri, 7 Jun 2024 13:01:24 -0400 Subject: [PATCH 17/17] fix closing tab pane --- .../en/docs/clustermgmt/security/manually-renew-certs.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md index 7cb0f1fa7c58..57d878594080 100644 --- a/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md +++ b/docs/content/en/docs/clustermgmt/security/manually-renew-certs.md @@ -281,9 +281,6 @@ exit # exit from the Control Plane Machine {{< /tabpane >}} Note: Install kubectl on the Control Plane Machine using the instructions [here](https://anywhere.eks.amazonaws.com/docs/getting-started/install/#manually-macos-and-linux) -{{< /tab >}} -{{< /tabpane >}} - 2. From your admin machine, download the kubeconfig file from the ControlPlane node and use it to access your Kubernetes Cluster. ```