List Kubenetes internal SSL certificates
sudo kubeadm certs check-expiration
[sudo] password for kubuser:
[check-expiration] Reading configuration from the "kubeadm-config" ConfigMap in namespace "kube-system"...
[check-expiration] Use 'kubeadm init phase upload-config --config your-config-file' to re-upload it.
CERTIFICATE EXPIRES RESIDUAL TIME CERTIFICATE AUTHORITY EXTERNALLY MANAGED
admin.conf Nov 04, 2026 08:01 UTC 359d ca no
apiserver Nov 04, 2026 08:01 UTC 359d ca no
apiserver-etcd-client Nov 04, 2026 08:01 UTC 359d etcd-ca no
apiserver-kubelet-client Nov 04, 2026 08:01 UTC 359d ca no
controller-manager.conf Nov 04, 2026 08:01 UTC 359d ca no
etcd-healthcheck-client Nov 04, 2026 08:01 UTC 359d etcd-ca no
etcd-peer Nov 04, 2026 08:01 UTC 359d etcd-ca no
etcd-server Nov 04, 2026 08:01 UTC 359d etcd-ca no
front-proxy-client Nov 04, 2026 08:01 UTC 359d front-proxy-ca no
scheduler.conf Nov 04, 2026 08:01 UTC 359d ca no
super-admin.conf Nov 04, 2026 08:01 UTC 359d ca no
CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
ca Nov 02, 2035 08:01 UTC 9y no
etcd-ca Nov 02, 2035 08:01 UTC 9y no
front-proxy-ca Nov 02, 2035 08:01 UTC 9y no
List Dashboard SSL certificates
kubectl get secrets -n kubernetes-dashboard
NAME TYPE DATA AGE
admin-user kubernetes.io/service-account-token 3 4d
kubernetes-dashboard-csrf Opaque 1 5d19h
sh.helm.release.v1.kubernetes-dashboard.v1 helm.sh/release.v1 1 5d19h
Renew Kubernetes internal SSL certificates
sudo kubeadm certs renew all
[sudo] password for kubuser:
[renew] Reading configuration from the "kubeadm-config" ConfigMap in namespace "kube-system"...
[renew] Use 'kubeadm init phase upload-config --config your-config-file' to re-upload it.
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed
certificate embedded in the kubeconfig file for the super-admin renewed
Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.
Restarting above pods
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-79949b87d-4lgkr 1/1 Running 1 (3h44m ago) 5d22h
calico-node-2lfqp 1/1 Running 1 (3h44m ago) 5d21h
calico-node-ll8mh 1/1 Running 1 (3h44m ago) 5d22h
calico-node-sdc72 1/1 Running 2 (3h44m ago) 5d21h
coredns-674b8bbfcf-55kgn 1/1 Running 1 (3h44m ago) 5d22h
coredns-674b8bbfcf-wfshm 1/1 Running 1 (3h44m ago) 5d22h
etcd-kub-master 1/1 Running 1 (3h44m ago) 5d22h
kube-apiserver-kub-master 1/1 Running 1 (3h44m ago) 5d22h
kube-controller-manager-kub-master 1/1 Running 1 (3h44m ago) 5d22h
kube-proxy-r4wzl 1/1 Running 1 (3h44m ago) 5d22h
kube-proxy-smzdh 1/1 Running 1 (3h44m ago) 5d21h
kube-proxy-v9v54 1/1 Running 2 (3h44m ago) 5d21h
kube-scheduler-kub-master 1/1 Running 1 (3h44m ago) 5d22h
kubectl delete pods kube-apiserver-kub-master kube-controller-manager-kub-master etcd-kub-master kube-scheduler-kub-master -n kube-system
pod "kube-apiserver-kub-master" deleted
pod "kube-controller-manager-kub-master" deleted
pod "etcd-kub-master" deleted
pod "kube-scheduler-kub-master" deleted
After this above pods are started again taking new SSL certs in effect.
kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-79949b87d-4lgkr 1/1 Running 1 (3h46m ago) 5d22h
calico-node-2lfqp 1/1 Running 1 (3h45m ago) 5d21h
calico-node-ll8mh 1/1 Running 1 (3h46m ago) 5d22h
calico-node-sdc72 1/1 Running 2 (3h46m ago) 5d22h
coredns-674b8bbfcf-55kgn 1/1 Running 1 (3h46m ago) 5d22h
coredns-674b8bbfcf-wfshm 1/1 Running 1 (3h46m ago) 5d22h
etcd-kub-master 0/1 Pending 0 6s
kube-apiserver-kub-master 1/1 Running 1 (3h46m ago) 6s
kube-controller-manager-kub-master 0/1 Pending 0 6s
kube-proxy-r4wzl 1/1 Running 1 (3h46m ago) 5d22h
kube-proxy-smzdh 1/1 Running 1 (3h45m ago) 5d21h
kube-proxy-v9v54 1/1 Running 2 (3h46m ago) 5d22h
kube-scheduler-kub-master 0/1 Pending 0 6s
Adding new CSR
Base64 encode CSR content and create YAML as following
vi csr.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: my-ssl-cert
spec:
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQ2t6Q0NBWHNDQVFBd1RqRUxNQWtHQTFVRUJoTUNTVTR4Q3pBSkJnTlZCQWdNQWtoU01Rd3dDZ1lEVlFRSApEQU5IUjA0eERUQUxCZ05WQkFvTUJFaHZiV1V4RlRBVEJnTlZCQU1NRERFNU1pNHhOamd1TVM0ek5UQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFNaWw2VERhbE0zU21xYkVZVHJuelZXRm5aQ0YKMG83K0d2MGxPbnhvTEYvOS8reDZMY3QxdklFNnk5UVNVenN2ZTU5dWJPRXpLYnNYeERNWXlwUGpuSUNPZUQ4Mwp4WE5zSFZ6S2RhNkdiL3luZ0ttZ3VnMU5MdTk4czRrSXZKczJWV3pIVFg1dWJHUTJHOWlLY3RCckk5dXFMQXNCCnBlaU9EY3YvbllsUnZsMm5sSXdHVE05YXA2R2pEK005c0F3NlRhQ2tadDNoaWlOcWwrbkFYdFd2ZXBSVnlOdS8KMVlQZFdQeEgyQ0VVVzhZWUVtR2liOTROcytsU012eUZ2Wk1PWVhxVTJBTVlJa004T0Zla2hMTlVrT3FmUzV4bAorUFNZa3A4ck92YldRZHNNUU5QdFNBamxSMXBFN0NpOFc2cndSSlI3RmxicC9ZNk1LSGhjWnlkUlhiY0NBd0VBCkFhQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJzWm9hTXkyRElTNGdudjBpUzBsVUNDUFBrL0RBTG42blUKVDgwdjlyRHBpb2swa1M3K3RFaSs4cVRId0hOcURnVXpYeWxkYmlaaWhibkJDbzVVRThsdkF0RmZBM04xWjJoNwowWDJWU1dlRWNucGo1YmFuQVU3UjYxUHR5NFFNMy83eXVIMmJDVE1yR2grSUlyTWRCWHV4dUlrSndBamYwQWVnCklRanRWY2NFVlhwd2ZnamJIZXp6UktScEpFOTRUaVFSN29ob1lnU1A1dm5vVFpROWtGVkRNWmtRK2Q5cmJ1czUKRGdVTE9NckhBQzcrWDVtam5Va0NWaUJTVlMxU3BhUnQwOWJpdjRMbU95MWpWNXNpemd6dTVoVm94T3NNLzB3VQpNaWNqa3RwSkM0MGRFamEwc1drYSt4bWZYUDhsV2xqcUZiQlhhNDFEL09OdWZCNXJKRjhlCi0tLS0tRU5EIENFUlRJRklDQVRFIFJFUVVFU1QtLS0tLQo=
signerName: "home.com/newsign"
expirationSeconds: 86400000 # Optional: 10 days
usages:
- client auth
Apply above
kubectl apply -f csr.yaml
Check CSR
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
my-ssl-cert 15s home.com/newsign kubernetes-admin 2y270d Pending
Approve
kubectl certificate approve my-ssl-cert
certificatesigningrequest.certificates.k8s.io/my-ssl-cert approved
Check again
kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
my-ssl-cert 56s home.com/newsign kubernetes-admin 2y270d Approved
Add new SSL certificate for apps
Create a secret using new SSL certificate and private key
kubectl create secret tls kube-app-cert --cert=server.crt --key=server.key -n default
secret/kube-app-cert created
List newly added secret
kubectl get secrets -n default
NAME TYPE DATA AGE
admin-user kubernetes.io/service-account-token 3 4d
kube-app-cert kubernetes.io/tls 2 9s
kubernetes-dashboard-csrf Opaque 1 5d19h
sh.helm.release.v1.kubernetes-dashboard.v1 helm.sh/release.v1 1 5d19h
View certificate and private key
This shows base64 encoded output
kubectl get secrets kube-app-cert -n default -o yaml
apiVersion: v1
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTekNDQWpPZ0F3SUJBZ0lVTGFvLytDVHU2YTVXeTNHTFNoSGxGOG9OODV3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1RqRUxNQWtHQTFVRUJoTUNTVTR4Q3pBSkJnTlZCQWdNQWtoU01Rd3dDZ1lEVlFRSERBTkhSMDR4RFRBTApCZ05WQkFvTUJFaHZiV1V4RlRBVEJnTlZCQU1NRERFNU1pNHhOamd1TVM0ek5UQWVGdzB5TlRFeE1UQXdOVEU1Ck5ESmFGdzB5TmpFeE1UQXdOVEU1TkRKYU1FNHhDekFKQmdOVkJBWVRBa2xPTVFzd0NRWURWUVFJREFKSVVqRU0KTUFvR0ExVUVCd3dEUjBkT01RMHdDd1lEVlFRS0RBUkliMjFsTVJVd0V3WURWUVFEREF3eE9USXVNVFk0TGpFdQpNelV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRElwZWt3MnBUTjBwcW14R0U2CjU4MVZoWjJRaGRLTy9ocjlKVHA4YUN4Zi9mL3NlaTNMZGJ5Qk9zdlVFbE03TDN1ZmJtemhNeW03RjhRekdNcVQKNDV5QWpuZy9OOFZ6YkIxY3luV3VobS84cDRDcG9Mb05UUzd2ZkxPSkNMeWJObFZzeDAxK2JteGtOaHZZaW5MUQpheVBicWl3TEFhWG9qZzNMLzUySlViNWRwNVNNQmt6UFdxZWhvdy9qUGJBTU9rMmdwR2JkNFlvamFwZnB3RjdWCnIzcVVWY2pidjlXRDNWajhSOWdoRkZ2R0dCSmhvbS9lRGJQcFVqTDhoYjJURG1GNmxOZ0RHQ0pEUERoWHBJU3oKVkpEcW4wdWNaZmowbUpLZkt6cjIxa0hiREVEVDdVZ0k1VWRhUk93b3ZGdXE4RVNVZXhaVzZmMk9qQ2g0WEdjbgpVVjIzQWdNQkFBR2pJVEFmTUIwR0ExVWREZ1FXQkJTa1RiSEhTblNCdmRBeXZpM3E1Q2ppQ1ZLOXhUQU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBUUVBRXFtNVcvYmRXVVFlbnNOQWYxaDdISFl1Nzh4cEdUdGUwb0dZZVRWUXNDdVAKMkJDbUUvdkFHaXplc0F2QXMvNnFwZmhNcmtEZ0NZN0llaUVqY3dnRmg0R3JOYllrVGljVVdqVUF3T0YxMUN0bQpoSlkzdnlSbUU0SGUyYmlSSDg4cG9zU1k1cTc2UHVoQU9UMEc4YnVEMUltS1pneHNVOCt0UUhJUDFhL1lNdVhNCkhNVTZGajBpTGhwd0JpTUJUYVppU09ocERobzQvUmNCbC92bEJqM01ILzhwVEJYTHlQT01aT2QyM1c3VkdVTHQKbWlrZmhWRU5ZSU93Y3pORHhzcUZTa1pDNG4zMkd0R3Rzc0IvOFpGQTh4Q0xsUW4weVZReEVxN2FaYk5jbE5iRApoNG96QVNqNUZNTU1SdXEvRGRMRkZCRFlobEdXQ0VoVFRIbjBDdU9ibmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRElwZWt3MnBUTjBwcW0KeEdFNjU4MVZoWjJRaGRLTy9ocjlKVHA4YUN4Zi9mL3NlaTNMZGJ5Qk9zdlVFbE03TDN1ZmJtemhNeW03RjhRegpHTXFUNDV5QWpuZy9OOFZ6YkIxY3luV3VobS84cDRDcG9Mb05UUzd2ZkxPSkNMeWJObFZzeDAxK2JteGtOaHZZCmluTFFheVBicWl3TEFhWG9qZzNMLzUySlViNWRwNVNNQmt6UFdxZWhvdy9qUGJBTU9rMmdwR2JkNFlvamFwZnAKd0Y3VnIzcVVWY2pidjlXRDNWajhSOWdoRkZ2R0dCSmhvbS9lRGJQcFVqTDhoYjJURG1GNmxOZ0RHQ0pEUERoWApwSVN6VkpEcW4wdWNaZmowbUpLZkt6cjIxa0hiREVEVDdVZ0k1VWRhUk93b3ZGdXE4RVNVZXhaVzZmMk9qQ2g0ClhHY25VVjIzQWdNQkFBRUNnZ0VBSU9ZZ2xuTzdPRnJvSS9YenpLUEYrdGdvczFJRFB6em5rZldidHdXaHJscEkKV2RtQ3BCSDVuRHJXd1pRQTlQc0pJR1ZoRVlwcnRPaVFXL2NjVXM2eGtqRktBc1k5NkNTa1ZUQkJIQ0pMbEdLbQpsRlJDalZISUkxa1FCYVVGYW5Hb2oyaHlZQXVkQVhxNXdCeWJUTDhmSndlcVViZXR5MTdDQzdQWUp4N2NiQ0IyCnR4YmlzOEY0YU40eXdzUGlTdVpHYVFVYXhEOEpLVTRZcmgyVHc5ZTVoMlRIRllBUFdoY2kxZ2xHcjM4bjJpazkKQmlPR1Y5eVJ0NW5GQ2hTMHUzT3RSaWg5QTNFRzJIMHVCWVB2ZDhRSlpybTBXYzE2cE85U1pSSUluSXR4aEE0Ngp1YjlOOVZ0cUtTejRibVU1bkx4NVhTRXRzeUptUlBuZzRMVUFWajhSNlFLQmdRRHIrUE1EeldoMnJaaEZTY2pnClhNZVEwREZpdnU1bDZ1cXB1cjZFSVVpU0M5VlYyVFhnQ2oxcld3UUJid1BJMEx1TFZYZnV4UnA5ZXdiWXFIQ0EKMFRPcDlQaUsvbXIzaWtNU2phREJJNkphT1RLZVhESFA2ckNnUGhZQnAwcWloNEhrU2N4V0hFdFAzSEszSGszcgpweTNaZDJJRk50dzQ0ZTR1RklRZDN5ZFQ4d0tCZ1FEWnJYVWdKSkxPUXBiK2NzUnhzTkVDQjlHZjRQOVNUYUFGClpncWR4Ums4RkdEaExlYjhSdkM5VDhrbmFrbkVIMnB4cXpjRUhDRHNsdk1XVXQyM2psU0VjcmxnbkdBOTRWcUMKb1B2T3A0SDNpdUFmdUFZLzVrSkZHZVZXa1hLdmc3T3ZSNEpsK0FrcHJIVGlRTXdJUFgxa0tKK2dYR0Z2VmxrMQovWlRHOWd6MExRS0JnUUMyVWVjUnJRZGxpc0wzNWdaNnM3VE53czRsaVhnUTd1ellyeHk4WWlyOERJQ01rQUw4ClUyMFpJWDE2emhlU2RSUXlsNXJPdFNPK2grdkdRbjZLU1JrdDI4U2RQKzNOek5uOTM4ZXc4cU5pS29kZHE4WWcKNnlnRTUzT0JXNHhpLzJmd3hzUkdWQjRzV2h1WU9LWGp5WXUzVm5JNXJTV0NIYTQxbEV4ditCY2UyUUtCZ1FDVgp5bUV3N3puK3FhQVNGSlBOMEdqalJ0SWZmTXIxcmVrU0RmZjhQV2R5Q212b1NKZ012aHhuaVlIWWw3R1BQamNYClpVU0VsWDZxaisxVFRVNjVRejR4cm1pV2JNVmxqNitpK0hpTzZvSHJBQ3ZlWjlvVkdyUTdyT2crTy9SNWh0MmQKSGs1RE1QM05LWmw5SUMzRzlkbFZsUWJUYVA2N2lPWDIyenNIOXNWUE9RS0JnRDJYbEVLZEQ5YytWTUxEcUJ3eApoZExTOFprdUtlWXVMVnRJUkVEY20yY0dUSVFCdFBWcE9JUlU5Q1ovV1o3cENxZE1wTFc3MWVVS3V0OHdiTC95Ci85NXM2N0Ewc2duYnYxUnZuSHVWWVE2SWpaWEVlWHdNM2NvVC9tcUhmeE0vbjRBbVBPVFhGYzBub3ZKTURsSTAKc25ibGxpZjV1Y0lXRUszUWtBNlZJamlkCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
kind: Secret
metadata:
creationTimestamp: "2025-11-10T05:21:41Z"
name: kube-app-cert
namespace: default
resourceVersion: "420370"
uid: 81c48bef-7625-4a19-8f66-3cfcbb28cb82
type: kubernetes.io/tls
View decoded outputs
echo "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURTekNDQWpPZ0F3SUJBZ0lVTGFvLytDVHU2YTVXeTNHTFNoSGxGOG9OODV3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1RqRUxNQWtHQTFVRUJoTUNTVTR4Q3pBSkJnTlZCQWdNQWtoU01Rd3dDZ1lEVlFRSERBTkhSMDR4RFRBTApCZ05WQkFvTUJFaHZiV1V4RlRBVEJnTlZCQU1NRERFNU1pNHhOamd1TVM0ek5UQWVGdzB5TlRFeE1UQXdOVEU1Ck5ESmFGdzB5TmpFeE1UQXdOVEU1TkRKYU1FNHhDekFKQmdOVkJBWVRBa2xPTVFzd0NRWURWUVFJREFKSVVqRU0KTUFvR0ExVUVCd3dEUjBkT01RMHdDd1lEVlFRS0RBUkliMjFsTVJVd0V3WURWUVFEREF3eE9USXVNVFk0TGpFdQpNelV3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRElwZWt3MnBUTjBwcW14R0U2CjU4MVZoWjJRaGRLTy9ocjlKVHA4YUN4Zi9mL3NlaTNMZGJ5Qk9zdlVFbE03TDN1ZmJtemhNeW03RjhRekdNcVQKNDV5QWpuZy9OOFZ6YkIxY3luV3VobS84cDRDcG9Mb05UUzd2ZkxPSkNMeWJObFZzeDAxK2JteGtOaHZZaW5MUQpheVBicWl3TEFhWG9qZzNMLzUySlViNWRwNVNNQmt6UFdxZWhvdy9qUGJBTU9rMmdwR2JkNFlvamFwZnB3RjdWCnIzcVVWY2pidjlXRDNWajhSOWdoRkZ2R0dCSmhvbS9lRGJQcFVqTDhoYjJURG1GNmxOZ0RHQ0pEUERoWHBJU3oKVkpEcW4wdWNaZmowbUpLZkt6cjIxa0hiREVEVDdVZ0k1VWRhUk93b3ZGdXE4RVNVZXhaVzZmMk9qQ2g0WEdjbgpVVjIzQWdNQkFBR2pJVEFmTUIwR0ExVWREZ1FXQkJTa1RiSEhTblNCdmRBeXZpM3E1Q2ppQ1ZLOXhUQU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBUUVBRXFtNVcvYmRXVVFlbnNOQWYxaDdISFl1Nzh4cEdUdGUwb0dZZVRWUXNDdVAKMkJDbUUvdkFHaXplc0F2QXMvNnFwZmhNcmtEZ0NZN0llaUVqY3dnRmg0R3JOYllrVGljVVdqVUF3T0YxMUN0bQpoSlkzdnlSbUU0SGUyYmlSSDg4cG9zU1k1cTc2UHVoQU9UMEc4YnVEMUltS1pneHNVOCt0UUhJUDFhL1lNdVhNCkhNVTZGajBpTGhwd0JpTUJUYVppU09ocERobzQvUmNCbC92bEJqM01ILzhwVEJYTHlQT01aT2QyM1c3VkdVTHQKbWlrZmhWRU5ZSU93Y3pORHhzcUZTa1pDNG4zMkd0R3Rzc0IvOFpGQTh4Q0xsUW4weVZReEVxN2FaYk5jbE5iRApoNG96QVNqNUZNTU1SdXEvRGRMRkZCRFlobEdXQ0VoVFRIbjBDdU9ibmc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==" | base64 --decode
-----BEGIN CERTIFICATE-----
MIIDSzCCAjOgAwIBAgIULao/+CTu6a5Wy3GLShHlF8oN85wwDQYJKoZIhvcNAQEL
BQAwTjELMAkGA1UEBhMCSU4xCzAJBgNVBAgMAkhSMQwwCgYDVQQHDANHR04xDTAL
BgNVBAoMBEhvbWUxFTATBgNVBAMMDDE5Mi4xNjguMS4zNTAeFw0yNTExMTAwNTE5
NDJaFw0yNjExMTAwNTE5NDJaME4xCzAJBgNVBAYTAklOMQswCQYDVQQIDAJIUjEM
MAoGA1UEBwwDR0dOMQ0wCwYDVQQKDARIb21lMRUwEwYDVQQDDAwxOTIuMTY4LjEu
MzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIpekw2pTN0pqmxGE6
581VhZ2QhdKO/hr9JTp8aCxf/f/sei3LdbyBOsvUElM7L3ufbmzhMym7F8QzGMqT
45yAjng/N8VzbB1cynWuhm/8p4CpoLoNTS7vfLOJCLybNlVsx01+bmxkNhvYinLQ
ayPbqiwLAaXojg3L/52JUb5dp5SMBkzPWqehow/jPbAMOk2gpGbd4YojapfpwF7V
r3qUVcjbv9WD3Vj8R9ghFFvGGBJhom/eDbPpUjL8hb2TDmF6lNgDGCJDPDhXpISz
VJDqn0ucZfj0mJKfKzr21kHbDEDT7UgI5UdaROwovFuq8ESUexZW6f2OjCh4XGcn
UV23AgMBAAGjITAfMB0GA1UdDgQWBBSkTbHHSnSBvdAyvi3q5CjiCVK9xTANBgkq
hkiG9w0BAQsFAAOCAQEAEqm5W/bdWUQensNAf1h7HHYu78xpGTte0oGYeTVQsCuP
2BCmE/vAGizesAvAs/6qpfhMrkDgCY7IeiEjcwgFh4GrNbYkTicUWjUAwOF11Ctm
hJY3vyRmE4He2biRH88posSY5q76PuhAOT0G8buD1ImKZgxsU8+tQHIP1a/YMuXM
HMU6Fj0iLhpwBiMBTaZiSOhpDho4/RcBl/vlBj3MH/8pTBXLyPOMZOd23W7VGULt
mikfhVENYIOwczNDxsqFSkZC4n32GtGtssB/8ZFA8xCLlQn0yVQxEq7aZbNclNbD
h4ozASj5FMMMRuq/DdLFFBDYhlGWCEhTTHn0CuObng==
-----END CERTIFICATE-----
Use newly added SSL certificate in apps (eg nginx)
Prepare YAML file as following. Do use “kube-nginx-cert” in “secretName” variable
vi nginx
apiVersion: v1
kind: Pod
metadata:
name: nginx-web-app
labels:
app: nginx-web
annotations:
cni.projectcalico.org/ipAddrs: "[\"192.168.100.50\"]"
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 443
volumeMounts:
- name: tls-secret
mountPath: "/etc/ssl"
readOnly: true
- name: nginx-config
mountPath: "/etc/nginx/nginx.conf"
subPath: nginx.conf
readOnly: true
volumes:
- name: tls-secret
secret:
secretName: kube-nginx-cert
- name: nginx-config
configMap:
name: nginx-config
---
apiVersion: v1
kind: Service
metadata:
name: nginx-web-svc
spec:
selector:
app: nginx-web
ports:
- protocol: TCP
port: 443
targetPort: 443
type: NodePort
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
data:
nginx.conf: |
events {}
http {
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/tls.crt;
ssl_certificate_key /etc/ssl/tls.key;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
}
Apply to create/patch app pod
kubectl apply -f nginx.yaml
Check pod status
kubectl get pods
NAME READY STATUS RESTARTS AGE
mysql-colt-database-99ccb9f97-md8l8 1/1 Running 1 (5h13m ago) 3d20h
mysql-colt-database-99ccb9f97-qq27l 1/1 Running 1 (5h13m ago) 3d20h
nginx-web-app 1/1 Running 0 5m33s
Check NodePort of app to access via worker/controller node ipAddrs
kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 5d23h
mysql-svc ClusterIP 10.108.111.223 <none> 3306/TCP 3d21h
nginx-web-svc NodePort 10.97.39.153 <none> 443:31977/TCP 6m30s
Here you can see service port exposed on worker/controller node IPs is 31977
Access https://192.168.1.35:31977 or https://192.168.1.36:31977 or https://192.168.1.37:31977 from web browser to confirm SSL cert
Related Posts
