Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added instructions to update kubeconfig after manual certs renewal or cluster upgrade #7890

Merged
merged 20 commits into from
Jun 7, 2024
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
71 changes: 71 additions & 0 deletions docs/content/en/docs/clustermgmt/security/manually-renew-certs.md
Original file line number Diff line number Diff line change
Expand Up @@ -168,3 +168,74 @@ ${IMAGE_ID} tmp-cert-renew \
5. Repeat the above steps for all control plane nodes.

You can similarly use the above steps to rotate a single certificate instead of all certificates.

#### Update kubeconfig on Admin machine
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

Post completion of manual certificate rotation or if your Cluster was created more than a year ago, your kubeconfig file on Admin machine will have outdated certificates and would result in following error,
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

```
Error: Couldn't get current Server API group list: the server has asked for the client to provide credentials error: you must be logged in to the server.
This error typically occurs when the cluster certificates have been renewed or extended during the upgrade process. To resolve this issue, you need to update your local kubeconfig file with the new cluster credentials.
```

Follow below steps to update kubeconfig on Admin machine.
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

1. SSH to one of the Control Plane nodes and run the following command to validate connection with API Server, export kubeconfig from `${CLUSTER_NAME}-kubeconfig` secret object (`eksa-system` namespace) using kubectl and copy kubeconfig file to `/tmp` directory.
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

```
ssh <YOUR_CONTROLPLANE_IP>
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved
```

{{< tabpane >}}
{{< tab header="Ubuntu or RHEL" lang="bash" >}}

export CLUSTER_NAME="<YOUR_CLUSTER_NAME_HERE>"

cat /var/lib/kubeadm/admin.conf
export KUBECONFIG="/var/lib/kubeadm/admin.conf"
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

kubectl get nodes -o wide
kubectl get secrets -A
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

kubectl get secret ${CLUSTER_NAME}-kubeconfig -n eksa-system -o yaml > new-admin.kubeconfig
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

cat new-admin.kubeconfig | base64 -d > /tmp/new-admin-decoded.kubeconfig
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

{{< /tab >}}

{{< tab header="Bottlerocket" lang="bash" >}}
# you would be in the admin container when you ssh to the Bottlerocket machine
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved
# open a root shell
sudo sheltie

export CLUSTER_NAME="<YOUR_CLUSTER_NAME_HERE>"
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

cat /var/lib/kubeadm/admin.conf
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you mean to cut the cat /var/lib/kubeadm/admin.conf line, since you run it again a few lines down to redirect the content into another file. Likewise, the export KUBECONFIG... line just below here doesn't seem to be consumed anywhere, unless I'm missing something.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. This KUBECONFIG export is not needed. removing it.

export KUBECONFIG="/var/lib/kubeadm/admin.conf"

kubectl get nodes -o wide
kubectl get secrets -A
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

cat new-admin.kubeconfig | base64 -d > /run/host-containerd/io.containerd.runtime.v2.task/default/admin/rootfs/tmp/new-admin-decoded.kubeconfig

{{< /tab >}}
{{< /tabpane >}}


2. **SSH to Admin Machine**, download the kubeconfig file from ControlPlane to your Admin machine and access Kubernetes Cluster
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

```
ssh <ADMIN_MACHINE_IP>

export CONTROLPLANE_IP=""
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved
scp -i <keypair>@${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig .

# OR SFTP

sftp -i <keypair>@${CONTROLPLANE_IP}:/tmp/new-admin-decoded.kubeconfig .
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

ls -ltr
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved
export KUBECONFIG="new-admin-decoded.kubeconfig"

kubectl get pods
```
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ aws eks tag-resource \

## Delete Subscriptions

>**_NOTE_** Only inactive subscriptions can be deleted. Deleting inactive subscriptions removes them from the AWS Management Console view and API responses.
>**_NOTE_** Only inactive subscriptions can be deleted. Deleting inactive subscriptions removes them from the AWS Management Console view and API responses. To delete any Active Subscriptions, Please create a Support Case with AWS Support team.
saiteja313 marked this conversation as resolved.
Show resolved Hide resolved

### AWS Management Console

Expand Down