Generate new certificate First, we have to generate a private key: $ openssl genrsa -out ivnilv.pem and a certificate signing request: $ openssl req -new -key ivnilv.pem -out ivnilv.csr -subj "/CN=ivnilv" The common name of the certificate is important, since it defines the username of the new user. Signing the certificate The signing request needs to be base64 encoded , before submitting to the Kubernetes API. You can easily encode it using:
Let’s assume the following setup where we have a HAproxy frontend accepting incoming requests for an app in port 80, and then forwarding those requests to the application’s backend servers (nginx web instances). This would be useful, for example when you would like to upgrade the version of nginx servers hosting your web application’s code to the latest version of nginx with zero downtime ! Here is the minimal haproxy.cfg configuration file we are going to use for this guide:
Install CertBot Installing certbot in Ubuntu is pretty straight forward:
apt-get install certbot Generate certificate Based on the type of webserver you are using, you need to pass a different parameter to the certbot in order for it to properly configure your virtual host.
In the case of nginx , it’s as simple as:
certbot –nginx Next, you’ll need to answer a couple of questions which are necessary for the certificate issuance.
Check etcd-manager version Using kubectl: $ k -n kube-system get pod etcd-manager-main-ip-NODE-IP-ADDRESS -o yaml | grep "image:" image: kopeio/etcd-manager:3.0.20200429 According to the releases documentation version 3.0.20200428 brings a fix that renews expiring certificates in the cluster. However, the implementation of this as noted in github issue #309 Not a perfect fix, if you don’t restart things every now and then, they could still expire. But it’s at least closer and means if you do restart things, it will fix itself.