Backup addon certs in admin node (#848)

* Bump release version to 5.0 * Make LICENSE symlink valid again * Typo fixes * Backup addon certs in admin node Signed-off-by: JenTing Hsiao <jenting.hsiao@suse.com> * Update adoc/admin-security-certificates.adoc Co-authored-by: David Ko <dko@suse.com> Co-authored-by: Markus Napp <mnapp@suse.com> Co-authored-by: Stefan Knorr <sknorr@suse.de> Co-authored-by: David Ko <dko@suse.com>
SUSE · Jun 4, 2020 · 1693672 · 1693672
1 parent 2ab45e2
commit 1693672
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/adoc/admin-security-certificates.adoc b/adoc/admin-security-certificates.adoc
@@ -488,7 +488,7 @@ run the following:
 ssh <USERNAME>@<MASTER_NODE_IP_ADDRESS/FQDN>
 sudo cp -r /etc/kubernetes/pki /etc/kubernetes/pki.bak
 sudo kubeadm alpha certs renew all
-sudo reboot
+sudo systemctl restart kubelet
 ----
 +
 . Copy the renewed `admin.conf` from one of the master nodes to your local environment:
@@ -501,16 +501,19 @@ sudo cat /etc/kubernetes/admin.conf
 
 === Renewing Certificates Created by `skuba`:
 
-Log in to the master node and regenerate the certificates:
+In the admin node, regenerate the certificates:
 
 * Replace the `oidc-dex` server certificate:
 +
 . Backup the original `oidc-dex` server certificate and key from secret resource.
 +
 [source,bash]
 ----
-sudo mkdir -p /etc/kubernetes/pki.bak
-sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret oidc-dex-cert -n kube-system -o yaml | sudo tee /etc/kubernetes/pki.bak/oidc-dex-cert.yaml > /dev/nulltrustedcert.yaml | grep tls.key | awk '{print $2}' | base64 --decode | sudo tee /etc/kubernetes/pki.bak/oidc-dex.key > /dev/null
+mkdir -p my-cluster/pki.bak
+kubectl get secret oidc-dex-cert -n kube-system -o yaml | tee my-cluster/pki.bak/oidc-dex-cert.yaml > /dev/null
+
+cat my-cluster/pki.bak/oidc-dex-cert.yaml | grep tls.crt | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-dex.crt > /dev/null
+cat my-cluster/pki.bak/oidc-dex-cert.yaml | grep tls.key | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-dex.key > /dev/null
 ----
 
 . Get the original SAN IP address(es) and DNS(s), run:
@@ -564,11 +567,11 @@ kubectl rollout restart deployment/oidc-dex -n kube-system
 +
 [source,bash]
 ----
-sudo mkdir -p /etc/kubernetes/pki.bak
-sudo kubectl --kubeconfig=/etc/kubernetes/admin.conf get secret oidc-gangway-cert -n kube-system -o yaml | sudo tee /etc/kubernetes/pki.bak/oidc-gangway-cert.yaml > /dev/null
+mkdir -p my-cluster/pki.bak
+kubectl get secret oidc-gangway-cert -n kube-system -o yaml | tee my-cluster/pki.bak/oidc-gangway-cert.yaml > /dev/null
 
-cat /etc/kubernetes/pki.bak/oidc-gangway-cert.yaml | grep tls.crt | awk '{print $2}' | base64 --decode | sudo tee /etc/kubernetes/pki.bak/oidc-gangway.crt > /dev/null
-cat /etc/kubernetes/pki.bak/oidc-gangway-cert.yaml | grep tls.key | awk '{print $2}' | base64 --decode | sudo tee /etc/kubernetes/pki.bak/oidc-gangway.key > /dev/null
+cat my-cluster/pki.bak/oidc-gangway-cert.yaml | grep tls.crt | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-gangway.crt > /dev/null
+cat my-cluster/pki.bak/oidc-gangway-cert.yaml | grep tls.key | awk '{print $2}' | base64 --decode | tee my-cluster/pki.bak/oidc-dgangwayex.key > /dev/null
 ----
 
 . Get the original SAN IP address(es) and DNS(s), run: