Issue K8 and Api Certs

Re-issue Kubernetes and Api Certificates

By default k8s related configuration files are generated in the management node /opt/kato/etc/kubernetes directory

1. Remove the Previous Certificate

mv /opt/kato/etc/kubernetes /opt/kato/etc/kubernetes.bak
mv /opt/kato/etc/rbd-api/region.gridworkz/ssl /opt/kato/etc/rbd-api/region.gridworkz/ssl.bak
mkdir /opt/kato/etc/kubernetes

2. Re-issue the Certificate

docker run --rm -v $PWD/ql/k8ssl:/opt/kato/etc/kubernetes/ssl -v $PWD/ql/ssl:/opt/kato/etc/rbd-api/region.gridworkz/ ssl -v $PWD/ql/kubecfg:/opt/kato/etc/kubernetes/kubecfg -v $PWD/ql/kubernetes:/grdata/kubernetes kato/r6dctl:docker-cfg-certs kip <management node IP>

Note: The filled in here has EIP, select EIP, otherwise select IIP

3. Replace Certificate

# Update kube-proxy.kubeconfig
mv ql/kubernetes /grdata/kubernetes
# Copy TLS certificate and secret key  
mv ql/k8ssl /opt/kato/etc/kubernetes/ssl
# Update kubecfg file  
mv ql/kubecfg /opt/kato/etc/kubernetes/
cp -a /opt/kato/etc/kubernetes/kubecfg/admin.kubeconfig /root/.kube/config
# Update api certificate
mv ql/ssl /opt/kato/etc/rbd-api/region.gridworkz/
  • Update the certificate in the persistent directory of rbd-app-ui
cd /grdata/services/console/uidata/kato/ssl
cp /opt/kato/etc/rbd-api/region.gridworkz/ssl/ca.pem.
cp /opt/kato/etc/rbd-api/region.gridworkz/ssl/client.key.pem.
cp /opt/kato/etc/rbd-api/region.gridworkz/ssl/client.pem.
  • Update the certificate in the database

There are three certificates in the region_info table of the console library of the database (rbd-db component). Their corresponding relationship is:

DataCorresponding Certificate
ssl_ca_cert/opt/kato/etc/rbd-api/region.gridworkz/ssl/ca.pem
cert_file/opt/kato/etc/rbd-api/region.gridworkz/ssl/client.pem
key_file/opt/kato/etc/rbd-api/region.gridworkz/ssl/client.key.pem

After the certificate is reissued, the corresponding data in the database will be updated synchronously

Update the k8s related configuration files of the computing node. Like the management node, it needs to be synchronized from the management node to the computing node (the same directory, you need to delete the corresponding directory on the computing node and copy it again)

4. Restart the Service and Verify

  • Restart service
grclis stop
grclis start
  • Restart the kubelet service if it has calculated attributes
systemctl restart kubelet.service
  • Verification

Check whether each component is normal, go to the console to check whether the operation is normal

[root@manage ~]# grctl cluster