How to Increase the Validity of Certificate Based Kubeconfig

Problem

How to increase the validity of certificate-based kubeconfig.

Environment

Platform9 Managed Kubernetes - All versions

For PMK (SaaS) support team will carry out the procedure below. Please open a Support Ticket.
For PEC/SMCP (air-gapped), the steps can be performed from the management plane.

Procedure

How to access the Qbert Database:

If using PEC, SSH to the management plane VM and run mysql qbert.
If using SMCP, exec into the mysql exporter pod in the management plane cluster and run mysql qbert.

The default validity of certificate-based kubeconfig is 24 hours. Which is set by a parameter certExpiryHrs in Qbert Database.

mysql
    
 
qbert> select id,name,uuid,status,lastOk,lastOp,taskStatus,kubeRoleVersion,certExpiryHrs from clusters\G;
Copy

Example:

mysql
    
 
qbert> select id,name,uuid,status,lastOk,lastOp,taskStatus,kubeRoleVersion,certExpiryHrs from clusters\G;*************************** 1. row ***************************             id: 2           name: cluster1           uuid: ed4153e1-0ff9-4bc0-8abb-eebad5f16e70         status: ok         lastOk: 2022-03-30 09:49:16.581         lastOp: 2022-03-30 09:46:20.036     taskStatus: successkubeRoleVersion: 1.20.15-pmk.2100  certExpiryHrs: 24
Copy

To increase or decrease the validity of certificate-based kubeconfig, update the certExpiryHrs in Qbert Database for the respective cluster.

mysql
    
 
qbert> update clusters set certExpiryHrs='<TIME_IN_HOURS>' where uuid='<UUID_OF_CLUSTER>';
Copy

Example:

mysql
    
​x
 
qbert> update clusters set certExpiryHrs='48' where uuid='ed4153e1-0ff9-4bc0-8abb-eebad5f16e70';​# mysql qbert -e "select id,name,uuid,status,lastOk,lastOp,taskStatus,kubeRoleVersion,certExpiryHrs from clusters\G"*************************** 1. row ***************************             id: 2           name: cluster1           uuid: ed4153e1-0ff9-4bc0-8abb-eebad5f16e70         status: ok         lastOk: 2022-03-30 09:53:37.353         lastOp: 2022-03-30 09:46:20.036     taskStatus: successkubeRoleVersion: 1.20.15-pmk.2100  certExpiryHrs: 48
Copy

After updating the Qbert Database, Check the validity of newly generated certificate-based kubeconfigs.

bash
    
 
# echo "<client_cert>" | base64 -d| openssl x509 -noout -datesnotBefore=Mar 30 09:57:04 2022 GMTnotAfter=Apr  1 09:57:34 2022 GMT
Copy

Example:

bash
    
 
# echo "<client_cert>" | base64 -d| openssl x509 -noout -datesnotBefore=Mar 30 09:57:04 2022 GMTnotAfter=Apr  1 09:57:34 2022 GMT
Copy

The changes made to the Qbert Database are persistent through Cluster and Management plane upgrades.

Additional Information

Refer to the document for instructions on how to open a support ticket.

Last updated on

Was this page helpful?