Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve certificate check output #12049

Open
manuelbuil opened this issue Apr 2, 2025 · 0 comments
Open

Improve certificate check output #12049

manuelbuil opened this issue Apr 2, 2025 · 0 comments
Labels
kind/good-first-issue Good for newcomers

Comments

@manuelbuil
Copy link
Contributor

manuelbuil commented Apr 2, 2025
edited
Loading

Is your feature request related to a problem? Please describe.

When executing k3s certificate check --output table we get a useful output to learn about the certificate expiration date. For example:

CERTIFICATE                SUBJECT                                            STATUS  EXPIRES
-----------                -------                                            ------  -------
client-kube-proxy.crt      CN=system:kube-proxy                               OK      2026-04-02T13:22:31Z
client-kube-proxy.crt      CN=k3s-client-ca@1743600133                        OK      2035-03-31T13:22:13Z
client-kubelet.crt         CN=system:node:vm1,O=system:nodes  OK      2026-04-02T13:22:31Z
client-kubelet.crt         CN=k3s-client-ca@1743600133                        OK      2035-03-31T13:22:13Z
serving-kubelet.crt        CN=vm1                             OK      2026-04-02T13:22:31Z
serving-kubelet.crt        CN=k3s-server-ca@1743600133                        OK      2035-03-31T13:22:13Z
client-k3s-controller.crt  CN=system:k3s-controller                           OK      2026-04-02T13:22:31Z
client-k3s-controller.crt  CN=k3s-client-ca@1743600133                        OK      2035-03-31T13:22:13Z

However, that output could be confusing because:

  • The same certificate file is shown twice. One time pointing at the certificate and the other time pointing at the CA
  • The same CA certificate is shown in different lines
  • In theory, "subject" is the entity that the certificate is issued to, not the CA. In this output we use a column "subject" for both

Describe the solution you'd like

I would like to see an output where subject certificates and CA certificates are separated in two sections and there is a column that links the subject certificate to each CA. For example, kubeadm certs check-expiration is a good example:

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
apiserver                  Aug 16, 2024 10:00 UTC   364d            ca                      no
apiserver-etcd-client      Aug 16, 2024 10:00 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Aug 16, 2024 10:00 UTC   364d            ca                      no
etcd-healthcheck-client    Aug 16, 2024 10:00 UTC   364d            etcd-ca                 no
etcd-peer                  Aug 16, 2024 10:00 UTC   364d            etcd-ca                 no
etcd-server                Aug 16, 2024 10:00 UTC   364d            etcd-ca                 no
front-proxy-client         Aug 16, 2024 10:00 UTC   364d            front-proxy-ca          no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Aug 13, 2033 10:00 UTC   9y              no
etcd-ca                 Aug 13, 2033 10:00 UTC   9y              no
front-proxy-ca          Aug 13, 2033 10:00 UTC   9y              no

Describe alternatives you've considered

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/good-first-issue Good for newcomers
Projects
K3s Development
Status: New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@manuelbuil