This guide explains how to use the certs-renew.sh script to renew the certificates of a kamaji-etcd datastore.
It performs the following steps:
- Check the expiration date of the old certificates
- Cretates temporary role and rolebinding to permit the script to access certificates
- Cretates a kubernetes job to create certificates through
cfssl - Patches existing secrets with new certificates
- Reset
etcdpods and recreatesdatastore-certssecret - Remove temporary role and rolebinding
WARNING: during the operation, the tenant control plane won't be reachable for a solid minute
kamaji-etcdcharts version > 0.2.4bashjqopensslkubectl
To run the script, use the following command:
./scripts/certs-renew.sh [-e etcd_name] [-s etcd_service] [-n etcd_namespace]-e etcd_name: The name of the etcd instance (default:kamaji-etcd).-s etcd_service: The name of the etcd service (default:kamaji-etcd).-n etcd_namespace: The namespace where etcd is deployed (default:kamaji-system).
For example:
./scripts/certs-renew.sh -e my-etcd -s my-etcd-service -n my-namespace- Tenant Control Plane pods may fail with
Error 3/4but will auto-heal in about a minute. - Ensure you have the necessary permissions to create and delete roles and role bindings in the specified namespace.
To run the script in debug mode set the environment variable DEBUG:
export DEBUG=1