kareem-elsayed · July 13, 2020 14:25 · Jun 4, 2020
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,168 @@
+[root@localhost ~]# INSTALL_K3S_SKIP_DOWNLOAD=true ./install.sh
+[INFO]  Skipping k3s download and verify
+[INFO]  Creating /usr/local/bin/kubectl symlink to k3s
+[INFO]  Creating /usr/local/bin/crictl symlink to k3s
+[INFO]  Skipping /usr/local/bin/ctr symlink to k3s, command exists in PATH at /bin/ctr
+[INFO]  Creating killall script /usr/local/bin/k3s-killall.sh
+[INFO]  Creating uninstall script /usr/local/bin/k3s-uninstall.sh
+[INFO]  env: Creating environment file /etc/systemd/system/k3s.service.env
+[INFO]  systemd: Creating service file /etc/systemd/system/k3s.service
+[INFO]  systemd: Enabling k3s unit
+Created symlink from /etc/systemd/system/multi-user.target.wants/k3s.service to /etc/systemd/system/k3s.service.
+[INFO]  systemd: Starting k3s
+[root@localhost ~]#
+[root@localhost ~]# k3s kubectl get pods -n kube-system
+NAME                                      READY   STATUS      RESTARTS   AGE
+metrics-server-6d684c7b5-4lwbj            1/1     Running     0          58s
+local-path-provisioner-58fb86bdfd-9mp9d   1/1     Running     0          58s
+helm-install-traefik-h9j2t                0/1     Completed   1          58s
+svclb-traefik-98rl7                       2/2     Running     0          52s
+coredns-6c6bb68b64-pl8nt                  1/1     Running     0          58s
+traefik-7b8b884c8-llffl                   1/1     Running     0          52s
+[root@localhost ~]# date
+Thu Jun  4 15:41:44 UTC 2020
+[root@localhost ~]# cd /var/lib/rancher/k3s/server/
+[root@localhost server]# > /var/log/messages
+(reverse-i-search)`stop': systemctl ^Cop k3s
+[root@localhost server]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done
+ls: cannot access *.crt: No such file or directory
+[root@localhost server]# cd tls/
+[root@localhost tls]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done
+client-admin.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-auth-proxy.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-ca.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  2 15:40:24 2030 GMT
+client-cloud-controller.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-controller.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-k3s-controller.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-kube-apiserver.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-kube-proxy.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+client-scheduler.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+request-header-ca.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  2 15:40:24 2030 GMT
+server-ca.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  2 15:40:24 2030 GMT
+serving-kube-apiserver.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+[root@localhost tls]# date
+Thu Jun  4 15:42:54 UTC 2020
+[root@localhost tls]# systemctl stop k3s
+[root@localhost tls]# date -s 20210515
+Sat May 15 00:00:00 UTC 2021
+[root@localhost tls]# hwclock -w
+[root@localhost tls]# date
+Sat May 15 00:00:05 UTC 2021
+[root@localhost tls]# systemctl restart k3s
+[root@localhost tls]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done
+client-admin.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-auth-proxy.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-ca.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  2 15:40:24 2030 GMT
+client-cloud-controller.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-controller.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-k3s-controller.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-kube-apiserver.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-kube-proxy.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+client-scheduler.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+request-header-ca.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  2 15:40:24 2030 GMT
+server-ca.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  2 15:40:24 2030 GMT
+serving-kube-apiserver.crt
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:00:12 2022 GMT
+[root@localhost tls]# for i in `ls *.crt`; do echo $i; openssl x509 -noout -startdate -enddate -in $i; done^C
+[root@localhost tls]# openssl s_client -connect localhost:6443 -showcerts </dev/null 2>&1 | openssl x509 -noout -startdate -enddate
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=Jun  4 15:40:24 2021 GMT
+[root@localhost tls]# k3s kubectl get secret -n kube-system
+NAME                                                 TYPE                                  DATA   AGE
+pv-protection-controller-token-7nfb7                 kubernetes.io/service-account-token   3      344d
+certificate-controller-token-rpglh                   kubernetes.io/service-account-token   3      344d
+node-controller-token-t4fpz                          kubernetes.io/service-account-token   3      344d
+pod-garbage-collector-token-d4pkm                    kubernetes.io/service-account-token   3      344d
+service-controller-token-9tqgk                       kubernetes.io/service-account-token   3      344d
+deployment-controller-token-6vvgg                    kubernetes.io/service-account-token   3      344d
+namespace-controller-token-2nl5p                     kubernetes.io/service-account-token   3      344d
+replication-controller-token-rvfst                   kubernetes.io/service-account-token   3      344d
+cronjob-controller-token-p4hhx                       kubernetes.io/service-account-token   3      344d
+resourcequota-controller-token-7wxq8                 kubernetes.io/service-account-token   3      344d
+expand-controller-token-w9hgk                        kubernetes.io/service-account-token   3      344d
+clusterrole-aggregation-controller-token-d95f6       kubernetes.io/service-account-token   3      344d
+disruption-controller-token-d58ds                    kubernetes.io/service-account-token   3      344d
+coredns-token-m6n4k                                  kubernetes.io/service-account-token   3      344d
+k3s-serving                                          kubernetes.io/tls                     2      344d
+local-path-provisioner-service-account-token-k9nrl   kubernetes.io/service-account-token   3      344d
+ttl-controller-token-hflgx                           kubernetes.io/service-account-token   3      344d
+persistent-volume-binder-token-2qw4t                 kubernetes.io/service-account-token   3      344d
+metrics-server-token-gcwvl                           kubernetes.io/service-account-token   3      344d
+helm-traefik-token-vs8fb                             kubernetes.io/service-account-token   3      344d
+endpoint-controller-token-nclfj                      kubernetes.io/service-account-token   3      344d
+generic-garbage-collector-token-njjk6                kubernetes.io/service-account-token   3      344d
+replicaset-controller-token-pqnk8                    kubernetes.io/service-account-token   3      344d
+pvc-protection-controller-token-jzjn2                kubernetes.io/service-account-token   3      344d
+statefulset-controller-token-sch87                   kubernetes.io/service-account-token   3      344d
+attachdetach-controller-token-bh9br                  kubernetes.io/service-account-token   3      344d
+horizontal-pod-autoscaler-token-k8tb8                kubernetes.io/service-account-token   3      344d
+service-account-controller-token-wlddj               kubernetes.io/service-account-token   3      344d
+daemon-set-controller-token-p4xs6                    kubernetes.io/service-account-token   3      344d
+job-controller-token-sz8x4                           kubernetes.io/service-account-token   3      344d
+default-token-4d685                                  kubernetes.io/service-account-token   3      344d
+traefik-default-cert                                 Opaque                                2      344d
+traefik-token-5vpbt                                  kubernetes.io/service-account-token   3      344d
+sh.helm.release.v1.traefik.v1                        helm.sh/release.v1                    1      344d
+[root@localhost tls]# kubectl delete secret -n kube-system k3s-serving^C
+[root@localhost tls]# ls
+client-admin.crt       client-ca.key                client-k3s-controller.crt  client-kube-proxy.crt  request-header-ca.crt  serving-kube-apiserver.crt
+client-admin.key       client-cloud-controller.crt  client-k3s-controller.key  client-kube-proxy.key  request-header-ca.key  serving-kube-apiserver.key
+client-auth-proxy.crt  client-cloud-controller.key  client-kube-apiserver.crt  client-scheduler.crt   server-ca.crt          serving-kubelet.key
+client-auth-proxy.key  client-controller.crt        client-kube-apiserver.key  client-scheduler.key   server-ca.key          temporary-certs
+client-ca.crt          client-controller.key        client-kubelet.key         dynamic-cert.json      service.key
+[root@localhost tls]# mkdir bak
+[root@localhost tls]# mv dynamic-cert.json bak/
+[root@localhost tls]# kubectl get secret -n kube-system k3s-serving -o yaml > bak/k3s-serving.bak.yaml
+[root@localhost tls]# kubectl delete secret -n kube-system k3s-serving
+secret "k3s-serving" deleted
+[root@localhost tls]# systemctl restart k3s
+[root@localhost tls]# openssl s_client -connect localhost:6443 -showcerts </dev/null 2>&1 | openssl x509 -noout -startdate -enddate
+notBefore=Jun  4 15:40:24 2020 GMT
+notAfter=May 15 00:02:37 2022 GMT