I have a kubeconf
file, but I cannot find the key and the certificate that was used to create it. Here comes help…
kubeadm
does a great job in creating all the necessary keys, certificates and kubeconf
files required for a Kubernetes cluster. As I was playing around recently with users, roles, and kubeconfs I discovered that the key and the certificate for the kubernetes-admin are missing.
And here I want to demonstrate how those files can be exported from the kubeconf.
In one of my previous posts I talked about how to create a user, its permissions and roles in Kubernetes:
https://www.livefire.solutions/kubernetes/create-a-user-in-kubernetes
Take a look if you want to learn more about how these kubeconf files are created.
Starting Point
I have setup my Kubernetes cluster using kubeadm
and per default kubeadm
stores all the certificates and keys in the /etc/kubernetes/pki
directory. But as we can see below there is no admin.key
and no admin.crt
file:

So lets export them from our admin kubeconf file stored in /etc/kubernetes
Verify Content and Export Certificates
Lets take a view on the content of: /etc/kubernetes/admin-conf
Note: To preserve readability lines are cut off.

We are interested in the two lines at the end that contain the key and certificates information. So lets grep out the client-certificate-data
and decode the content:
grep "client-certificate-data" admin.conf | awk '{print $2}' | base64 -d

As you can see above, the result looks very familiar… š
Repeat the step for client-key-data
and write the output to files:
grep "client-certificate-data" admin.conf | awk '{print $2}' | base64 -d > admin.crt
grep "client-key-data" admin.conf | awk '{print $2}' | base64 -d > admin.key
In a final step, lets verify the exported admin.crt
Show the first 20 lines of the certificate information by running:
openssl x509 -in admin.crt -noout -text | head -20

We can see the issuer, validity and subject information. Seems our export was successful.