# OpenShift 憑證檢查 ## OpenShift 4 憑證檢查 1. Get all certificate ``` echo -e "NAMESPACE\tNAME\tEXPIRY" && oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo -en "$namespace\t$name\t"; echo $cert | base64 -d | openssl x509 -noout -enddate; done | column -t > cert_expiry_date.txt ``` ``` oc get secrets -A -o go-template='{{range .items}}{{if eq .type "kubernetes.io/tls"}}{{.metadata.namespace}}{{" "}}{{.metadata.name}}{{" "}}{{index .data "tls.crt"}}{{"\n"}}{{end}}{{end}}' | while read namespace name cert; do echo " "; echo -en "Namespace: $namespace\t\nCertificateName: $name\t\n";echo " "; echo $cert | base64 -d; done &> Certificates.txt ``` 2. Check etcd certificate ``` oc get no -l node-role.kubernetes.io/master --no-headers -o name | xargs -I {} -- oc debug {} -- bash -c 'for p in 2379 2380 9979 ;do openssl s_client -connect localhost:$p -showcerts 2>/dev/null | openssl x509 -noout -subject -startdate -enddate ;done' > etcd_cert.txt ``` 3. Get must-gather ``` oc adm must-gather ``` ## OCP3 更新其他元件憑證 * Service Catalog * Metrics Server * Hawkular Metrics * Logging https://access.redhat.com/solutions/4082831 --- CYG - notes prod的 RD7 AIO: rd7-ocp4-prod-must.tar PID抄單 : ocp3-pid-tls.txt PID IPL : pid-ocp4-etcd-must-prod.tar QA的 PID抄單：pid-ocp3-qa-must.txt RD7 AIO: rd7-ocp4-qa-must.tar PID IPL : pid-ocp4-qa-must.tar