Add refresh-certs Command

[mateoflorido]

Overview

Add a refresh-certs command to refresh certificates for both control plane and worker nodes.

Rationale

In Proposal 002, we outlined the process for refreshing certificates via the k8s command line interface. This allows the snap to refresh certificates for both control plane and worker nodes in the cluster.

Testing

root@t-1:~# k8s refresh-certs --ttl 10mo --extra-sans=10.0.10.10 foo.local
Certificates have been successfully refreshed, and will expire at 26265600.
root@t-1:~# openssl x509 -in /etc/kubernetes/pki/kubelet.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            12:c4:76:9f:58:42:e7:a2:e1:2f:b3:fb:6e:85:48:01
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = kubernetes-ca
        Validity
            Not Before: Aug 23 20:40:39 2024 GMT
            Not After : Jun 23 20:40:39 2025 GMT
        Subject: O = system:nodes, CN = system:node:t-1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e5:ec:c8:51:b7:9c:32:26:05:75:00:b5:39:b0:
                    cc:43:3c:8e:73:60:21:c2:b9:65:2d:c1:c0:f7:24:
                    da:e0:30:2d:8a:76:fd:c8:ad:8b:ed:d3:0a:3b:e6:
                    82:84:99:74:32:8f:e7:5a:da:aa:e6:ba:31:9c:62:
                    11:ef:dd:da:bf:12:27:2f:87:bd:59:26:e1:d2:4f:
                    54:3a:2c:15:a1:e5:07:5a:f0:ad:71:ab:2b:c5:59:
                    8a:6e:f9:44:48:b1:b1:ec:6f:7c:66:20:62:b3:a3:
                    89:75:f1:7a:e4:92:1c:d1:6f:d2:c4:98:41:03:7c:
                    74:90:6f:b6:ed:db:43:46:11:6b:40:66:f3:86:50:
                    fe:64:24:89:0b:51:c0:8b:85:a9:4b:94:60:f7:3d:
                    18:37:78:4f:a9:0f:44:fa:17:58:ad:ca:f7:91:b1:
                    e2:c1:e1:fc:aa:4d:cb:68:a9:b1:ca:28:a7:5d:bc:
                    a4:5a:c3:6d:ab:08:9d:63:9d:3b:f5:a5:a4:12:18:
                    61:49:8b:17:f1:56:16:ef:69:8f:ba:12:98:a5:f0:
                    d4:58:af:3c:68:cd:9b:b1:42:62:ef:b4:89:a9:a7:
                    0e:3d:78:49:47:01:77:cb:14:6e:4d:45:ef:0e:7b:
                    2f:4d:34:a3:4b:39:b5:52:80:cc:a6:57:b5:66:d4:
                    e1:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier:
                7E:77:CB:E4:93:9D:78:3B:06:18:29:30:B8:75:36:B3:E6:C4:5B:64
            X509v3 Subject Alternative Name:
                DNS:t-1, IP Address:10.45.248.29, IP Address:10.152.183.1, IP Address:10.0.10.10, IP Address:127.0.0.1, IP Address:10.1.0.61, IP Address:10.45.248.29, IP Address:0:0:0:0:0:0:0:1, IP Address:FE80:0:0:0:9432:79FF:FE7A:1099, IP Address:FE80:0:0:0:8822:FFFF:FECC:20F4, IP Address:FE80:0:0:0:40D1:A8FF:FE1B:26A4, IP Address:FE80:0:0:0:C425:69FF:FE90:42C8, IP Address:FE80:0:0:0:202B:9EFF:FED5:4830, IP Address:FE80:0:0:0:408D:8DFF:FE39:4EA1, IP Address:FE80:0:0:0:286C:EFFF:FED4:6DC8, IP Address:FE80:0:0:0:64A7:47FF:FE00:3483, IP Address:FE80:0:0:0:216:3EFF:FED5:9F98, IP Address:FE80:0:0:0:216:3EFF:FED1:779C
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        33:25:7a:92:07:af:f7:ef:dc:bd:a5:80:1d:a9:5e:bd:0f:93:
        0e:24:f6:d7:5a:f1:52:69:c9:8e:c7:72:e4:52:74:c8:be:b4:
        1e:b5:d1:d0:70:fb:56:14:c3:37:d7:f9:f4:be:f2:fd:99:4d:
        7b:da:4a:fa:ca:a0:ce:4f:fe:7b:94:eb:54:81:92:14:7a:ec:
        06:45:5b:35:09:94:82:ba:c8:d5:7b:6c:58:61:3b:6d:96:97:
        2d:5d:04:9f:16:45:e9:85:14:5f:90:16:93:67:33:4b:fa:76:
        95:06:a2:3f:77:90:4a:25:9a:37:c8:3a:1b:0e:f9:84:0f:1a:
        3e:42:0d:99:78:82:c4:be:e4:a3:57:1d:0e:f7:ea:00:14:7c:
        67:f3:13:7c:f7:98:72:7f:ef:2c:2f:ae:4c:f7:c7:d0:32:a5:
        47:77:86:c6:b9:d9:50:54:76:78:f4:dd:4d:d1:b6:72:5a:f3:
        3b:87:3a:3f:39:17:ba:1e:0c:0c:5f:69:f0:99:6e:d0:ab:9f:
        49:0d:38:f6:9a:d3:0e:f4:63:52:87:33:3d:54:80:3c:d8:ed:
        dd:20:95:8c:ff:08:f5:24:84:9e:9a:2d:0e:35:28:1d:70:a2:
        7b:e3:01:57:73:76:da:31:b7:c7:00:b7:dd:b4:05:d6:c8:c8:
        ff:3a:0e:7a

Discussion

The RefreshCertificatesRunResponse contains the certificate validity period in seconds. However, parsing this from the CLI might show the user an inaccurate expiration date. Therefore, it may be better to return the UNIX timestamp, which would allow the actual date to be encoded in that field.

[addyess]

Overrall, seems pretty straight forward. I do like the human parsing of the date on when to refresh next

[addyess]

❤️ Super clear

[addyess]

Nice, maybe the k8sd service isn't running. If that's the only reason, maybe indicate how to check that.

[bschimke95]

Great work, did an initial round.

[addyess]

Nice, LGTM. thanks for addressing my questions @mateoflorido

[bschimke95]

LGTM, great work!