search

How to Monitor Vault Token and Expiry Dates of Various certs?

hashtag
Problem

How to check the status of vault token pro-actively

hashtag
Environment

  • Platform9 Edge Cloud - v5.3 and Higher

hashtag
Answer

Scenario-1: How to check the vault token status specific to a cluster?

Run the below commands from the DU Vm as the root user:

  1. Fetch the vault token:

export VAULT_TOKEN=$(mysql qbert -Bse "SELECT credential_value FROM qbert_secrets where credential_name='root_token'")

  1. Export the vault address:

export VAULT_ADDR=http://127.0.0.1:8200

  1. Export the cluster UUID:

mysql  qbert -e “select name,id,uuid,status,lastOk,lastOp,taskStatus,kubeRoleVersion from clusters;

CLUSTER_UUID=<cluster-UUID>

  1. Export the cluster vault token:

  1. Execute the vault token lookup

Example output:

Scenario-2: Monitoring Sunpike CA and Certs

Run the below commands from the DU Vm as the root user:

If the Sunpike CA is expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-sunpike-caarrow-up-right

To check the sunpike-kube-apiserver certificate expiry:

Scenario-3: Monitoring Cluster CA and Certs

Run the below commands from the DU Vm as the root user:

This outputs the date on which the CA is created and the date on which it expires, per cluster. If the certs are expiring, please follow the manual steps mentioned in the following article to regenerate it: https://platform9.com/kb/PEC/refresh-cluster-caarrow-up-right

To verify the cluster certificate details from the node:

Scanario-4 : Vault token renewal Steps:

Follow the steps mentioned in the KB Renew expired vault tokenarrow-up-right from the DU VM.

PreviousImage Registry Directory Size is Increasing ContinuouslyNextHow To Change external IP address of Management Host?

Last updated