Renew expired kubeadm certs

[spowelljr]

Fixes #16201

Explanation for below commands in before and after:

$ sudo timedatectl set-time 2024-03-03
$ minikube ssh -- sudo service kubelet restart

When testing my changes I ran into the kubelet certs being expired. I found the following comment kubernetes/kubeadm#2054 (comment):

normally this will not happen because the kubelet certificate manager has logic to monitor for certificate expiration and it will auto-rotate your client certificates once ~70% of the expiration period is reached. by forcing a date you are bypassing this mechanism and you end up with a certificate which was not rotated.

Manually forcing the date forward beyond kubelets certs expiration date was resulting in the certs not being rotated at all, so set the time less than a year, restart the kubelet service to force the certs rotation, then move time forward to make kubeadm certs be expired, but not far enough to make the kubelet certs expired. This would be handled for us if a cluster was running for a year.

# start minikube
# kubeadm expiration: 2024-04-07 kubelet expiration: 2024-04-07
# set time to 2024-03-03
# refresh kubelet certs
# kubeadm expiration: 2024-04-07 kubelet expiration: 2025-03-03
# set time to 2025-02-02
# kubeadm expiration: 2024-04-07 (EXPIRED) kubelet expiration: 2025-03-03 (VALID)

Before:

$ minikube start
$ sudo timedatectl set-ntp no
$ sudo timedatectl set-time 2024-03-03
$ minikube ssh -- sudo service kubelet restart
$ minikube stop
$ sudo timedatectl set-time 2025-02-02
$ minikube start
...
W0810 00:00:52.022507    4629 certs.go:521] WARNING: could not validate bounds for certificate apiserver-kubelet-client: the certificate has expired: NotBefore: 2023-04-04 17:14:07 +0000 UTC, NotAfter: 2024-04-04 17:14:09 +0000 UTC
error execution phase certs/apiserver-kubelet-client: [certs] certificate apiserver-kubelet-client not signed by CA certificate ca: x509: certificate has expired or is not yet valid: current time 2025-08-10T00:00:52Z is after 2024-04-04T17:14:09Z
To see the stack trace of this error execute with --v=5 or higher


╭───────────────────────────────────────────────────────────────────────────────────────────╮
│                                                                                           │
│    😿  If the above advice does not help, please let us know:                             │
│    👉  https://github.com/kubernetes/minikube/issues/new/choose                           │
│                                                                                           │
│    Please run `minikube logs --file=logs.txt` and attach logs.txt to the GitHub issue.    │
│                                                                                           │
╰───────────────────────────────────────────────────────────────────────────────────────────╯

After:

$ minikube start
$ sudo timedatectl set-ntp no
$ sudo timedatectl set-time 2024-03-03
$ minikube ssh -- sudo service kubelet restart
$ minikube stop
$ sudo timedatectl set-time 2025-02-02
$ minikube start
😄  minikube v1.30.1 on Debian 11.6 (amd64)
✨  Using the docker driver based on existing profile
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
🔄  Restarting existing docker container for "minikube" ...
❗  This container is having trouble accessing https://registry.k8s.io
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
🐳  Preparing Kubernetes v1.26.3 on Docker 23.0.2 ...
❗  kubeadm certificates have expired. Generating new ones...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: default-storageclass, storage-provisioner
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

❗  This container is having trouble accessing https://registry.k8s.io
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/

Is due to SSL certs being expired with forced time change

[spowelljr]

/ok-to-test

[medyagh]

how about using linux to check if a cert is valid or not to avoid time zone difference between minikube and the host

Open a terminal window in Linux.

Type the following command, replacing <cert-file> with the path and name of the certificate file you want to check:
openssl x509 -enddate -noout -in <cert-file>
Press Enter.

The output of the command will display the end date of the certificate in the format notAfter=YYYYMMDDHHMMSSZ.

For example:

notAfter=20230410000000Z
Check the end date of the certificate. If the end date is in the past, then the certificate has expired.

For example, in the output above, the certificate will expire on April 10, 2023, at midnight UTC. If today's date is after April 10, 2023, then the certificate has expired.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: medyagh, spowelljr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [medyagh,spowelljr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[minikube-pr-bot]

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 16249) |
+----------------+----------+---------------------+
| minikube start | 49.7s    | 49.5s               |
| enable ingress | 27.3s    | 26.6s               |
+----------------+----------+---------------------+

Times for minikube ingress: 28.7s 25.1s 27.6s 26.6s 28.6s
Times for minikube (PR 16249) ingress: 23.1s 28.6s 27.2s 27.1s 27.2s

Times for minikube start: 51.7s 47.4s 52.2s 48.4s 48.8s
Times for minikube (PR 16249) start: 48.3s 52.4s 47.1s 47.7s 51.9s

docker driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 16249) |
+----------------+----------+---------------------+
| minikube start | 22.5s    | 22.8s               |
| enable ingress | 21.7s    | 21.7s               |
+----------------+----------+---------------------+

Times for minikube (PR 16249) start: 22.5s 21.8s 25.2s 22.6s 21.9s
Times for minikube start: 22.4s 22.9s 22.2s 21.4s 23.5s

Times for minikube ingress: 22.4s 21.3s 20.8s 22.4s 21.4s
Times for minikube (PR 16249) ingress: 21.4s 20.8s 21.4s 21.9s 22.9s

docker driver with containerd runtime

+-------------------+----------+---------------------+
|      COMMAND      | MINIKUBE | MINIKUBE (PR 16249) |
+-------------------+----------+---------------------+
| minikube start    | 21.8s    | 22.5s               |
| ⚠️  enable ingress | 29.2s    | 38.1s ⚠️             |
+-------------------+----------+---------------------+

Times for minikube start: 20.6s 23.3s 21.6s 21.1s 22.6s
Times for minikube (PR 16249) start: 21.0s 23.4s 20.5s 24.3s 23.1s

Times for minikube ingress: 31.4s 31.3s 32.3s 19.3s 31.4s
Times for minikube (PR 16249) ingress: 47.4s 32.3s 47.3s 31.3s 32.3s

[minikube-pr-bot]

These are the flake rates of all failed tests.

Environment	Failed Tests	Flake Rate (%)
KVM_Linux	TestNetworkPlugins/group/custom-flannel/Start (gopogh)	1.22 (chart)
KVM_Linux	TestStartStop/group/no-preload/serial/AddonExistsAfterStop (gopogh)	4.27 (chart)
KVM_Linux	TestStartStop/group/no-preload/serial/Pause (gopogh)	4.27 (chart)
KVM_Linux	TestStartStop/group/no-preload/serial/SecondStart (gopogh)	4.27 (chart)
KVM_Linux	TestStartStop/group/no-preload/serial/UserAppExistsAfterStop (gopogh)	4.27 (chart)
KVM_Linux	TestStartStop/group/no-preload/serial/VerifyKubernetesImages (gopogh)	4.27 (chart)
KVM_Linux_containerd	TestStoppedBinaryUpgrade/Upgrade (gopogh)	5.56 (chart)
Hyperkit_macOS	TestRunningBinaryUpgrade (gopogh)	14.94 (chart)

To see the flake rates of all tests by environment, click here.