Appendix D: Verifying and Renewing Kubernetes Certificates in the AppViewX Cloud Connector

Checking Certificate Expiry

  1. Login to the user account in which the AppViewX Cloud Connector has been installed.
  2. Navigate to the AppViewX Cloud Connector home directory (where the install.sh script is located.
  3. To check for certificate expiry, execute the following commands:
    • cat deps/utils/kubeconfig.yaml | grep "client-certificate-data" | awk '{print $2}' | base64 --decode | openssl x509 -text -noout | grep 'Not After'
    • cat ~/.kube/config | grep "client-certificate-data" | awk '{print $2}' | base64 --decode | openssl x509 -text -noout | grep 'Not After'
    If either of the above commands returns a date that is prior to today's date, the corresponding certificate is expired.

Renewing the Kubernetes Certificates in the AppViewX Cloud Connector

  1. To identify the deployment method, execute the following commands:
    grep -i K3S_INSTALL_MODE <deps_path>/properties/appviewx.properties
    The deps directory is located in the same folder as the installation script.

    If the K3S_INSTALL_MODE flag is present in the properties file, the above command will return one of the following two modes as the output: k3d or standalone.

    Note: The properties file will be located here: <CC_home_directory>/deps/properties/appviewx.properties.
  2. Note: Execute this step only if the K3S_INSTALL_MODE flag is not present or empty.
    Determine the installation mode of the AppViewX Cloud Connector and add it to the properties file.
    To do this:
    1. Execute the following command:
      docker ps -a
      If the output of this command returns a container named k3d-cc-server-0, as shown in the image below:
      1. Modify the properties file to add the following: K3S_INSTALL_MODE=k3d
      If the output does not return the k3d-cc-server-0 container:
      1. Execute the following command:
        systemctl status k3s
      2. If the k3s server is running, modify the properties file to add the following: K3S_INSTALL_MODE=standalone.
  3. If the AppViewX Cloud Connector version is v24.3.0.0 or higher:
    1. Navigate to the home directory of the AppViewX Cloud Connector (where the install.sh script file is located and execute the following command:
      ./avxctl rotate k3s-cert
      The command will automatically perform all operations needed to renew the expired Kubernetes certificate(s).
    If the AppViewX Cloud Connector version is earlier than v24.3.0.0, to renew the certificates, execute the following steps:
    1. Determine the installation mode of the AppViewX Cloud Connector.
    2. If the installation mode is k3d:
      1. Navigate to the AppViewX Cloud Connector home directory (where the install.sh script is located).
      2. Login to the Docker container.
        docker exec -it k3d-cc-server-0 sh
      3. Rotate the certificate.
        k3s certificate rotate
      4. Restart the Docker container.
        sudo systemctl restart docker
      5. For Ubuntu, update the nameserver in Coredns.
        ./deps/utils/update_nameserver_in_coredns.sh
      6. Backup the existing certificates.
        mv "$(pwd)"/deps/utils/kubeconfig.yaml "$(pwd)"/deps/utils/bkp_kubeconfig.yaml
mv ~/.kube/config ~/.kube/bkp_config
      7. Renew the certificates.
        deps/tools/k3d kubeconfig get cc >$(pwd)/deps/utils/kubeconfig.yaml
cp deps/utils/kubeconfig.yaml ~/.kube/config
chmod 600 ~/.kube/config
chmod 664 "$(pwd)"/deps/utils/kubeconfig.yaml
      If the installation mode is standalone:
      1. Navigate to the AppViewX Cloud Connector home directory (where the install.sh script is located).
      2. Restart the k3s service.
        sudo systemctl restart k3s.service
      3. Check if the certificate has been renewed in the /etc location.
        cat /etc/rancher/k3s/k3s.yaml | grep "client-certificate-data" | awk '{print $2}' | base64 --decode | openssl x509 -noout -enddate
      4. Copy the renewed certificate to the required locations and grant required permissions in the host machine.
        cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
cp /etc/rancher/k3s/k3s.yaml <deps_directory>/utils/kubeconfig.yaml
chmod 600 ~/.kube/config
chmod 664 "$(pwd)"/deps/utils/kubeconfig.yaml

Post Certificate Renewal Checks

Once the certificate is renewed:
  1. Navigate to the AppViewX Cloud Connector home directory (where the install.sh script is located).
  2. To perform the post-renewal checks, execute the following commands:
    cat deps/utils/kubeconfig.yaml | grep "client-certificate-data" | awk '{print $2}' | base64 --decode | openssl x509 -text -noout | grep 'Not After'
cat ~/.kube/config | grep "client-certificate-data" | awk '{print $2}' | base64 --decode | openssl x509 -text -noout | grep 'Not After'
deps/tools/k3s kubectl get pods -A
    The certificate will be renewed in both, the location and all the pods should be listed as shown in the image below: