How to Rotate Kops Master Node Certificates

Problem

Old Kubernetes clusters (deployed prior to Kubernetes 1.16.2) may require manual certificate rotation. When the certificates expire, the master nodes can no longer communicate and the cluster becomes destabilized.

Solution

If the master nodes are all still operating normally, then upgrading to Kubernetes 1.16.2 or later should fix the issue and prevent it from recurring. However, if master nodes are already off line due to expired certificates, you will need to rotate them manually.

tip

Use ssh, Lens, Teleport, or other means to open a shell on each master node and rotate certificates.

Confirm certificates expiring

echo | openssl s_client -connect localhost:2380 2>/dev/null | openssl x509 -noout -dates

Backup existing certificates

sudo find /mnt/ -name server.key | sudo xargs -I'{}' cp '{}' '{}'.bak.20200412
sudo find /mnt/ -name server.crt | sudo xargs -I'{}' cp '{}' '{}'.bak.20200412
sudo find /mnt/ -name me.key | sudo xargs -I'{}' cp '{}' '{}'.bak.20200412
sudo find /mnt/ -name me.crt | sudo xargs -I'{}' cp '{}' '{}'.bak.20200412
sudo find /mnt/ -name '*.bak.*'

Delete certificates

sudo find /mnt/ -name server.key | xargs -I {} sudo rm {}
sudo find /mnt/ -name server.crt | xargs -I {} sudo rm {}
sudo find /mnt/ -name me.key | xargs -I {} sudo rm {}
sudo find /mnt/ -name me.crt | xargs -I {} sudo rm {}

Restart etcd-manager to generate new certificates

sudo docker ps -f name='etcd-manager' -q | sudo xargs docker kill

Verify new certs

echo | openssl s_client -connect localhost:2380 2>/dev/null | openssl x509 -noout -dates

Repeat this entire process on all master nodes

Verify cluster healthy

Wait for pods to show as Ready

kubectl get nodes

Problem​

Solution​

Confirm certificates expiring​

Backup existing certificates​

Delete certificates​

Restart etcd-manager to generate new certificates​

Verify new certs​

Repeat this entire process on all master nodes​

Verify cluster healthy​