Update kubernetes certificate when an instance is upgraded (OVA only issue)

This idea should definitely be implemented. My internal Kubernetes certs had expired, but I did not know it until I tried to do some RightSizing on a weekend. I had a limited change window, and support was unable to get Turbo working in time for me to do the RightSizing. I had put a lot of time and effort into negotiating the RightSizing and timing with the application team, and even though I worked for 7 hours on a Saturday, I wasn't able to accomplish anything. I can't try again until September due to the app team's schedule; so this issue really messed things up for me.

We had a meeting today with Billy and Jet to discuss incorporating the certificate renewal script into the online/offline upgrades. Billy has mentioned that the OVA upgrades are intended for upgrading Turbo components only and we should not add the certificate renewal to the Turbo upgrade script.

However, Jet has mentioned that he has encountered some issues with the kubeNodeCertUpdate.sh, where he has to reach out to Support because the cert update script did not move the files to the right location. As a next step, Jet is going to share the details of the cert update script issue and include info on the steps that Support used to solve the problems. Once we are clear on the issues, the kubeNodeCertUpdate.sh can be enhanced address those problems.

Hi Mitchell:
The k8s certificate renewal script is here: https://github.com/turbonomic/t8c-install/blob/master/bin/kubeNodeCertUpdate.sh

In my opinion the script above should be included as part of doing online or offline upgrades using the scripts below:

Online: https://github.com/turbonomic/t8c-install/blob/master/bin/onlineUpgrade.sh

Offline: https://github.com/turbonomic/t8c-install/blob/master/bin/offlineUpdate.sh

A further nice to have would be for the MariaDB upgrade to be included in the upgrade scripts above as well to have the MariaDB upgraded in the OVA when it is needed which that script is here:
https://github.com/turbonomic/t8c-install/blob/master/bin/mariadbUpgrade.sh

Thanks,

Russ and Jason - Can you attach a copy of the script please?

Hi Mitchell, this is only for the OVA when doing upgrades since it is a Turbo created single node cluster in the OVA. Deployments into k8s have their own certificates in the cluster that Turbo won't need to manage during upgrades as we don't deploy them in that case.

Thanks Jason for clarifying. Yes, I think it makes sense to proactively check for certificate expiry. You mentioned about the OVA in the comments, do we also to have the same check for K8S deployments as well? Wanted to see if this is a generic issue or only for OVA deployments.

Hi Mitchell, yes there was a misunderstanding between what I wrote and you interpreted as. It is as the guest replied below.

Hi Mitchell, this is only related to the kubernetes certificate expiring every year and there is no warning before it expires. Currently the only check for this is the upgrade-precheck script. This Idea is to have the k8s certificate renewal process in the OVA done as part of upgrades to prevent this from happening going forward and causing the instance to be down without warning

We have a health check feature where the UI alerts the user when the targets are not validating. It is also available via Turbo API so that user can check the target validation status in an automated fashion. Any reason why the customer is not using this feature?