[tools] Add d8 tools pki certs renew for control-plane certificates

[trofimovdals]

Description

Add d8 tools pki certs renew to deckhouse-cli to re-sign expired or soon-to-expire control-plane certificates locally using the go_lib/controlplane renewal API from the companion PR deckhouse/deckhouse#20129.

• registers a new tools -> pki -> certs -> renew command tree in d8
• renew all re-signs every known control-plane leaf certificate and kubeconfig client certificate; renew PATH re-signs a single file, auto-detecting whether it is a PEM certificate or a kubeconfig
• reads all certificate parameters (CN, SANs, usages, key algorithm) from the existing certificate on disk - no cluster configuration or API access required, designed for emergency recovery (mirrors kubeadm certs renew)
• re-signs with the on-disk CA key; CA is never modified
• per-artifact outcome handling: missing cert, missing CA, external CA (no key), and expired CA are reported as skips; a CA expiring sooner than the freshly issued certificate is reported as a warning
• --dry-run runs all checks and signing in memory without writing any files
• --san (on renew all) adds a new IP SAN to serving certificates that already carry IP SANs (apiserver, etcd/server, etcd/peer) - supports the master-node-IP-change recovery flow without downloading kubeadm or reconstructing cluster config
• --path and --kubeconfig-dir for non-standard layouts; --kubeconfig-dir defaults to the parent of --path
• any skip or warning makes the command exit non-zero with the accumulated warns count
• does not restart or reconfigure cluster components - it only re-signs certificate files on disk; restarts kube-apiserver/kube-controller-manager/kube-scheduler/etcd (or the node/kubelet) needs after renew for changes apply

Examples

d8 tools pki certs renew all

root@dev-test:~# /tmp/d8 tools pki certs check
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY
admin.conf                 May 21, 2027 09:31 UTC   360d            ca
apiserver                  May 21, 2027 09:31 UTC   360d            ca
apiserver-etcd-client      May 21, 2027 09:31 UTC   360d            etcd-ca
apiserver-kubelet-client   May 21, 2027 09:31 UTC   360d            ca
controller-manager.conf    May 21, 2027 09:31 UTC   360d            ca
etcd-healthcheck-client    May 21, 2027 09:31 UTC   360d            etcd-ca
etcd-peer                  May 21, 2027 09:31 UTC   360d            etcd-ca
etcd-server                May 21, 2027 09:31 UTC   360d            etcd-ca
front-proxy-client         May 21, 2027 09:31 UTC   360d            front-proxy-ca
scheduler.conf             May 21, 2027 09:31 UTC   360d            ca
super-admin.conf           May 21, 2027 09:31 UTC   360d            ca

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME
ca                      May 18, 2036 09:31 UTC   9y
etcd-ca                 May 18, 2036 09:31 UTC   9y
front-proxy-ca          May 18, 2036 09:31 UTC   9y

root@dev-test:~# /tmp/d8 tools pki certs renew all
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed
certificate embedded in the kubeconfig file for the admin to use renewed
certificate embedded in the kubeconfig file for the super-admin renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate embedded in the kubeconfig file for the scheduler to use renewed

root@dev-test:~# /tmp/d8 tools pki certs check
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY
admin.conf                 May 25, 2027 15:34 UTC   364d            ca
apiserver                  May 25, 2027 15:34 UTC   364d            ca
apiserver-etcd-client      May 25, 2027 15:34 UTC   364d            etcd-ca
apiserver-kubelet-client   May 25, 2027 15:34 UTC   364d            ca
controller-manager.conf    May 25, 2027 15:34 UTC   364d            ca
etcd-healthcheck-client    May 25, 2027 15:34 UTC   364d            etcd-ca
etcd-peer                  May 25, 2027 15:34 UTC   364d            etcd-ca
etcd-server                May 25, 2027 15:34 UTC   364d            etcd-ca
front-proxy-client         May 25, 2027 15:34 UTC   364d            front-proxy-ca
scheduler.conf             May 25, 2027 15:34 UTC   364d            ca
super-admin.conf           May 25, 2027 15:34 UTC   364d            ca

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME
ca                      May 18, 2036 09:31 UTC   9y
etcd-ca                 May 18, 2036 09:31 UTC   9y
front-proxy-ca          May 18, 2036 09:31 UTC   9y

Done. Restart kube-apiserver, kube-controller-manager, kube-scheduler and etcd.

d8 tools pki certs renew all --san 192.168.0.123

root@dev-master-0:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A5 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:dev-master-0, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.dvpcluster.local, IP Address:127.0.0.1, IP Address:10.12.0.56, IP Address:10.223.0.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        61:4f:ca:95:9f:81:32:d8:fc:35:6a:72:14:48:f1:fc:08:39:
        7e:26:f3:c7:11:05:b6:df:37:31:91:cd:99:3e:76:ca:a8:8e:
root@dev-master-0:~# /tmp/d8 tools pki certs renew all --san 192.168.0.123
certificate for serving the Kubernetes API renewed
certificate for the API server to connect to kubelet renewed
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed
certificate embedded in the kubeconfig file for the admin to use renewed
certificate embedded in the kubeconfig file for the super-admin renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate embedded in the kubeconfig file for the scheduler to use renewed
root@dev-master-0:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -noout -text | grep -A5 "Subject Alternative"
            X509v3 Subject Alternative Name:
                DNS:dev-master-0, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.dvpcluster.local, IP Address:127.0.0.1, IP Address:10.12.0.56, IP Address:10.223.0.1, IP Address:192.168.0.123
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        4d:14:55:5e:58:47:4d:b3:0f:da:94:6e:fd:92:f8:2c:2d:8f:
        72:cd:48:94:d4:44:2d:ea:ea:1a:1c:d7:20:b5:7f:a6:d6:21:

d8 tools pki certs renew all --dry-run with missing ca

root@dev-master-0:~# /tmp/d8 tools pki certs renew all --dry-run
DRY RUN — no files will be modified
CA "ca" missing, certificate for serving the Kubernetes API skipped: /etc/kubernetes/pki/apiserver.crt
CA "ca" missing, certificate for the API server to connect to kubelet skipped: /etc/kubernetes/pki/apiserver-kubelet-client.crt
certificate the apiserver uses to access etcd renewed
certificate for the front proxy client renewed
certificate for serving etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for liveness probes to healthcheck etcd renewed
CA "ca" missing, certificate embedded in the kubeconfig file for the admin to use skipped: /etc/kubernetes/admin.conf
CA "ca" missing, certificate embedded in the kubeconfig file for the super-admin skipped: /etc/kubernetes/super-admin.conf
CA "ca" missing, certificate embedded in the kubeconfig file for the controller manager to use skipped: /etc/kubernetes/controller-manager.conf
CA "ca" missing, certificate embedded in the kubeconfig file for the scheduler to use skipped: /etc/kubernetes/scheduler.conf
(dry-run) nothing was written
Error executing command: 6 warning(s) emitted; see output above 
root@dev-master-0:~# echo $?
1

d8 tools pki certs renew apiserver.crt from non default dir

root@dev-master-0:~# /tmp/d8 tools pki certs renew apiserver.crt
Error executing command: certificate "apiserver.crt" is not under PKI directory "/etc/kubernetes/pki"; use --path to specify the correct directory

[Copilot]

Pull request overview

Adds a d8 tools pki certs renew command tree to the deckhouse-cli, mirroring kubeadm certs renew. The command re-signs control-plane leaf certificates and kubeconfig client certificates locally using the upgraded go_lib/controlplane renewal API (bumped in go.mod/go.sum), reading certificate parameters from the existing files on disk and using the on-disk CA key. It supports renew all (with optional --san for adding an IP SAN to serving certs, plus --dry-run) and renew PATH for renewing a single file (auto-detecting kubeconfig vs PEM cert). Also refactors the existing certs check builder to use the renewal API's new per-entry error model in place of the old IgnoreReadErrors/joined-error scheme.

Changes:

• New renew command (cmd/renew.go) and renewal logic (renew.go) with per-artifact outcome handling (missing/external/expired CA), CA-outlives-renewed warnings, and dry-run support.
• Refactor of certs.go (BuildFullScanReport / BuildSingleFileReport) to consume the new pki/kubeconfig typed-entry reports and centralize entry building via appendPKIEntry/appendKubeconfigEntry.
• Bump of go_lib/controlplane dependency to a version exposing the renewal API.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
internal/tools/pki/certs/renew.go	New renewal orchestration: full-tree and single-file renewal, error formatting per entry type, dry-run banner/footer, CA-outlives-renewed warning check.
internal/tools/pki/certs/cmd/renew.go	New cobra renew and renew all subcommand wiring with --path, --kubeconfig-dir, --dry-run, --san flags.
internal/tools/pki/certs/cmd/certs.go	Registers the new renew subcommand under certs.
internal/tools/pki/certs/certs.go	Refactors report builders to use the new per-entry typed errors from pki/kubeconfig packages; drops old onlyNotExistErrors/multiUnwrapper helpers.
go.mod / go.sum	Bumps deckhouse/go_lib/controlplane to the version with the renewal API.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.