Skip to content

[tools] Add d8 tools pki certs renew for control-plane certificates#368

Draft
trofimovdals wants to merge 4 commits into
mainfrom
feature/tools-pki-certs-renew
Draft

[tools] Add d8 tools pki certs renew for control-plane certificates#368
trofimovdals wants to merge 4 commits into
mainfrom
feature/tools-pki-certs-renew

Conversation

@trofimovdals
Copy link
Copy Markdown
Contributor

@trofimovdals trofimovdals commented May 25, 2026
edited
Loading

Description

Add d8 tools pki certs renew to deckhouse-cli to re-sign expired or soon-to-expire control-plane certificates locally using the go_lib/controlplane renewal API from the companion PR deckhouse/deckhouse#20129.

  • registers a new tools -> pki -> certs -> renew command tree in d8
  • renew all re-signs every known control-plane leaf certificate and kubeconfig client certificate; renew PATH re-signs a single file, auto-detecting whether it is a PEM certificate or a kubeconfig
  • reads all certificate parameters (CN, SANs, usages, key algorithm) from the existing certificate on disk - no cluster configuration or API access required, designed for emergency recovery (mirrors kubeadm certs renew)
  • re-signs with the on-disk CA key; CA is never modified
  • per-artifact outcome handling: missing cert, missing CA, external CA (no key), and expired CA are reported as skips; a CA expiring sooner than the freshly issued certificate is reported as a warning
  • --dry-run runs all checks and signing in memory without writing any files
  • --san (on renew all) adds a new IP SAN to serving certificates that already carry IP SANs (apiserver, etcd/server, etcd/peer) - supports the master-node-IP-change recovery flow without downloading kubeadm or reconstructing cluster config
  • --path and --kubeconfig-dir for non-standard layouts; --kubeconfig-dir defaults to the parent of --path
  • any skip or warning makes the command exit non-zero with the accumulated warns count
  • does not restart or reconfigure cluster components - it only re-signs certificate files on disk; restarts kube-apiserver/kube-controller-manager/kube-scheduler/etcd (or the node/kubelet) needs after renew for changes apply

Examples

d8 tools pki certs renew all 
root@dev-test:~# /tmp/d8 tools pki certs check
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY
admin.conf                 May 21, 2027 09:31 UTC   360d            ca
apiserver                  May 21, 2027 09:31 UTC   360d            ca
apiserver-etcd-client      May 21, 2027 09:31 UTC   360d            etcd-ca
apiserver-kubelet-client   May 21, 2027 09:31 UTC   360d            ca
controller-manager.conf    May 21, 2027 09:31 UTC   360d            ca
etcd-healthcheck-client    May 21, 2027 09:31 UTC   360d            etcd-ca
etcd-peer                  May 21, 2027 09:31 UTC   360d            etcd-ca
etcd-server                May 21, 2027 09:31 UTC   360d            etcd-ca
front-proxy-client         May 21, 2027 09:31 UTC   360d            front-proxy-ca
scheduler.conf             May 21, 2027 09:31 UTC   360d            ca
super-admin.conf           May 21, 2027 09:31 UTC   360d            ca

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME
ca                      May 18, 2036 09:31 UTC   9y
etcd-ca                 May 18, 2036 09:31 UTC   9y
front-proxy-ca          May 18, 2036 09:31 UTC   9y

root@dev-test:~# /tmp/d8 tools pki certs renew all
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed
certificate embedded in the kubeconfig file for the admin to use renewed
certificate embedded in the kubeconfig file for the super-admin renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate embedded in the kubeconfig file for the scheduler to use renewed

root@dev-test:~# /tmp/d8 tools pki certs check
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY
admin.conf                 May 25, 2027 15:34 UTC   364d            ca
apiserver                  May 25, 2027 15:34 UTC   364d            ca
apiserver-etcd-client      May 25, 2027 15:34 UTC   364d            etcd-ca
apiserver-kubelet-client   May 25, 2027 15:34 UTC   364d            ca
controller-manager.conf    May 25, 2027 15:34 UTC   364d            ca
etcd-healthcheck-client    May 25, 2027 15:34 UTC   364d            etcd-ca
etcd-peer                  May 25, 2027 15:34 UTC   364d            etcd-ca
etcd-server                May 25, 2027 15:34 UTC   364d            etcd-ca
front-proxy-client         May 25, 2027 15:34 UTC   364d            front-proxy-ca
scheduler.conf             May 25, 2027 15:34 UTC   364d            ca
super-admin.conf           May 25, 2027 15:34 UTC   364d            ca

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME
ca                      May 18, 2036 09:31 UTC   9y
etcd-ca                 May 18, 2036 09:31 UTC   9y
front-proxy-ca          May 18, 2036 09:31 UTC   9y

Done. Restart kube-apiserver, kube-controller-manager, kube-scheduler and etcd.
d8 tools pki certs renew all --san 192.168.0.123 
root@dev-master-0:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A5 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:dev-master-0, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.dvpcluster.local, IP Address:127.0.0.1, IP Address:10.12.0.56, IP Address:10.223.0.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        61:4f:ca:95:9f:81:32:d8:fc:35:6a:72:14:48:f1:fc:08:39:
        7e:26:f3:c7:11:05:b6:df:37:31:91:cd:99:3e:76:ca:a8:8e:
root@dev-master-0:~# /tmp/d8 tools pki certs renew all --san 192.168.0.123
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed
certificate embedded in the kubeconfig file for the admin to use renewed
certificate embedded in the kubeconfig file for the super-admin renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate embedded in the kubeconfig file for the scheduler to use renewed
root@dev-master-0:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A5 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:dev-master-0, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.dvpcluster.local, IP Address:127.0.0.1, IP Address:10.12.0.56, IP Address:10.223.0.1, IP Address:192.168.0.123
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4d:14:55:5e:58:47:4d:b3:0f:da:94:6e:fd:92:f8:2c:2d:8f:
        72:cd:48:94:d4:44:2d:ea:ea:1a:1c:d7:20:b5:7f:a6:d6:21:
d8 tools pki certs renew all --dry-run with missing ca 
root@dev-master-0:~# /tmp/d8 tools pki certs renew all --dry-run
DRY RUN — no files will be modified
CA "ca" missing, certificate for serving the Kubernetes API skipped: /etc/kubernetes/pki/apiserver.crt
CA "ca" missing, certificate for the API server to connect to kubelet skipped: /etc/kubernetes/pki/apiserver-kubelet-client.crt
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed
CA "ca" missing, certificate embedded in the kubeconfig file for the admin to use skipped: /etc/kubernetes/admin.conf
CA "ca" missing, certificate embedded in the kubeconfig file for the super-admin skipped: /etc/kubernetes/super-admin.conf
CA "ca" missing, certificate embedded in the kubeconfig file for the controller manager to use skipped: /etc/kubernetes/controller-manager.conf
CA "ca" missing, certificate embedded in the kubeconfig file for the scheduler to use skipped: /etc/kubernetes/scheduler.conf
(dry-run) nothing was written
Error executing command: 6 certificate(s) not renewed; see output above
root@dev-master-0:~# echo $?
1
d8 tools pki certs renew apiserver.crt from non default dir 
root@dev-master-0:~# /tmp/d8 tools pki certs renew apiserver.crt
Error executing command: certificate "apiserver.crt" is not under PKI directory "/etc/kubernetes/pki"; use --path to specify the correct directory

@trofimovdals
add renew command for certs
eda4e99 
Signed-off-by: dmitry.trofimov <dmitry.trofimov@flant.com>
@trofimovdals trofimovdals requested a review from ldmonster as a code owner May 25, 2026 15:42
@trofimovdals trofimovdals marked this pull request as draft May 25, 2026 15:42
@trofimovdals
fixes
bfdf1ab 
Signed-off-by: dmitry.trofimov <dmitry.trofimov@flant.com>
@trofimovdals
fixes
fcab43d 
Signed-off-by: dmitry.trofimov <dmitry.trofimov@flant.com>
@trofimovdals
fixes
5771b75 
Signed-off-by: dmitry.trofimov <dmitry.trofimov@flant.com>
@sprait sprait requested review from AmazinMax and sprait May 29, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ldmonster ldmonster Awaiting requested review from ldmonster ldmonster is a code owner

@sprait sprait Awaiting requested review from sprait

@AmazinMax AmazinMax Awaiting requested review from AmazinMax

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@trofimovdals