GitHunt
TU

TurhanCetin/Certrenewer-Kubernetes-Certificate-Renewal-Service

A lightweight, dependency-free bash automation tool to continuously monitor and renew expiring Kubernetes control plane certificates (<60 days) via systemd timers, featuring safe static pod restarts and real-time Telegram alerts.

certificate-renewaldevopsk8skubeadmkuberneteskubernetes-administratorsresystemdtelegrambot

Kubernetes Certificate Renewer

Kubernetes
Bash
Systemd
Telegram
License

This project is a Systemd Timer / Bash Script solution designed to automatically check the certificates of kubeadm-provisioned Kubernetes clusters, renew them for 1 year when necessary, and report the final status via Telegram.

πŸ“Œ Features

  • Automated Checks: Runs automatically at 03:00 on the 1st of every month via Systemd Timer.
  • 60-Day Rule: Only performs the renewal process if there are certificates with 60 days or less remaining until expiration. If there are more than 60 days left, it does not take action and sends a SKIPPED notification.
  • Telegram Notifications: Reports the result of the process to your Telegram (βœ… SUCCESS, πŸ”΄ FAILED, ℹ️ SKIPPED, βœ… SUCCESS (FORCED)) using the company and cluster name (e.g., 🏒 Company Inc. | πŸ–₯️ test-cluster).
  • Automatic Restart: Upon certificate renewal, it safely reloads static pods via the touch method so Control Plane components (apiserver, etcd, etc.) can detect the new certificates instantly. A full Kubelet restart (or downtime) is not required.
  • Portability: No dependencies like Terraform or Ansible. It doesn't require any external packages. In isolated environments, you can simply copy the install.sh file to the server and install it.

πŸš€ Installation

To install the system, navigate to the project directory (where these files are located) and run the install.sh script as root (sudo), providing your configuration parameters.

Basic Installation

Your Company Name (-c), Cluster Name (-k), Telegram Bot Token (-t), and Telegram Chat ID (-i) are mandatory parameters.

sudo ./install.sh -c "Your-Company" -k "ClusterName-test" -t "YOUR_TELEGRAM_BOT_TOKEN" -i "YOUR_TELEGRAM_GROUP_CHAT_ID"

The configured company name and cluster name will appear in the Telegram notification message.

βœ… Once the installation is complete, it will send a success notification via Telegram with the message "βœ… Certificate Renewer Installed". Afterward, it will start running itself in the background every month.

Installation + Immediate Execution (Forced Renewal Test)

If you want to test whether the system you installed can actually renew the certificates by FORCE-ing it, even if your certificates still have 11 months left (more than 60 days), you can append the -f flag to the end.

sudo ./install.sh -c "Your-Company" -k "ClusterName-test" -t "YOUR_TELEGRAM_BOT_TOKEN" -i "YOUR_TELEGRAM_GROUP_CHAT_ID" -f

βœ… Right after installation completes, the certificates are entirely renewed immediately, pods are restarted in the background, and the "βœ… SUCCESS (FORCED)" message drops into Telegram.

πŸ’‘ Tip: If you don't want to install without testing your bot or chat group, fetching the tokens beforehand and doing an "initial installation ignition" directly with -f on your massive clusters is one of the most guaranteed security test checks.

πŸ”„ Manual Usage

After the tool is successfully installed, its main file starts living at /usr/local/bin/k8s-cert-renew.sh. You can trigger the job manually right away by typing the following command, without waiting for the timer:

1️⃣ Normal Check

This is the command triggered by the timer. It checks the certificate duration. If there are fewer than 60 days left, it renews them and performs a restart (while notifying Telegram). If the remaining duration is ample (e.g., 3 months), it does nothing and simply sends an "ℹ️ SKIPPED" notification.

sudo /usr/local/bin/k8s-cert-renew.sh

2️⃣ Forced Renewal

Ignores the remaining duration. Regardless of how many days the current certificates have left, it deletes them and applies the kubeadm certs renew all command from scratch for another 1 year.

sudo /usr/local/bin/k8s-cert-renew.sh --force

πŸ—‘οΈ Uninstallation

If the tool has passed the tests or you don't want to continue using it, running the uninstaller command is enough to wipe it from all Systemd records.

sudo ./uninstall.sh

This operation keeps the logs created so far (in case you want to read them), but cleans the cron mechanism and background scripts from the server. You can still check the log files at: /var/log/k8s-cert-renewal.log.

πŸ‘₯ Contributing

We welcome contributions! Please see our Contributing Guide for more details.

Core Developers

πŸ“ Changelog

See the CHANGELOG.md file for details on our versioning and version history.

Languages

Shell100.0%

Contributors

TU
MIT License
Created February 23, 2026
Updated February 24, 2026