Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix advice about checking certificate expiry #45127

Merged
merged 3 commits into from
Aug 12, 2024
Merged

Fix advice about checking certificate expiry #45127

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
71d493b
Update troubleshoot-kubectl.md
wushka00 Feb 13, 2024
85fe916
Update content/en/docs/tasks/debug/debug-cluster/troubleshoot-kubectl.md
wushka00 Feb 13, 2024
6ea1067
Update troubleshoot-kubectl.md
wushka00 Apr 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions content/en/docs/tasks/debug/debug-cluster/troubleshoot-kubectl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,7 @@ Verify the status of the load balancer (if used) to ensure it is healthy and for
traffic to the API server.

## TLS problems
* Additional tools required - `base64` and `openssl` version 3.0 or above.

The Kubernetes API server only serves HTTPS requests by default. In that case TLS problems
may occur due to various reasons, such as certificate expiry or chain of trust validity.
Expand All @@ -123,23 +124,23 @@ directory. The `certificate-authority` attribute contains the CA certificate and
Verify the expiry of these certificates:

```shell
openssl x509 -noout -dates -in $(kubectl config view --minify --output 'jsonpath={.clusters[0].cluster.certificate-authority}')
kubectl config view --flatten --output 'jsonpath={.clusters[0].cluster.certificate-authority-data}' | base64 -d | openssl x509 -noout -dates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nit)
I'd mention base64 in the page prerequisites. Also openssl, although it should have been there anyway.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me how to best advise base64 and openssl as pre-requisites. base64 is part GNU core utilities and for openssl, as you suggest, should be already there...from my perspective, if you are this far in i.e. troubleshooting, both of these requirements would be implicitly met.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi - this is my first PR - is there something else that needs to be done for it to be merged? thankls.

Copy link
Contributor

@sftim sftim Apr 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not clear to me how to best advise base64 and openssl as pre-requisites. base64 is part GNU core utilities and for openssl, as you suggest, should be already there...from my perspective, if you are this far in i.e. troubleshooting, both of these requirements would be implicitly met.

Mention these in the prerequisites section.
This is a little like a recipe; a recipe for a meal might say something like:

  • preheat the oven to 220°C
  • you will need a steamer basket and an ovenproof metal bowl at least 15cm deep

[and a list of ingredients]

Even though cooks reading that recipe probably have an oven and the utensils, listing them all is helpful. If someone wanted to do troubleshooting and they don't have openssl, it's helpful for them to know that right from the start.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi - thanks for the suggestion. I considered putting into the prerequisites but given not all issues in this document required those tools, I thought some additional tooling in the TLS problems passage would be cleaner - however, this may not comply with the doc standard so I am also ok to move it into the prerequisites - just let us know.

```

output:
```console
notBefore=Sep 2 08:34:12 2023 GMT
notAfter=Aug 31 08:34:12 2033 GMT
notBefore=Feb 13 05:57:47 2024 GMT
notAfter=Feb 10 06:02:47 2034 GMT
```

```shell
openssl x509 -noout -dates -in $(kubectl config view --minify --output 'jsonpath={.users[0].user.client-certificate}')
kubectl config view --flatten --output 'jsonpath={.users[0].user.client-certificate-data}'| base64 -d | openssl x509 -noout -dates
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why's this better?

```

output:
```console
notBefore=Sep 2 08:34:12 2023 GMT
notAfter=Sep 2 08:34:12 2026 GMT
notBefore=Feb 13 05:57:47 2024 GMT
notAfter=Feb 12 06:02:50 2025 GMT
```

## Verify kubectl helpers
Expand All @@ -155,4 +156,4 @@ kubectl config view
```

If you previously used a helper tool (for example, `kubectl-oidc-login`), ensure that it is still
installed and configured correctly.
installed and configured correctly.