How to rotate certificates for clusters launched by RKE v0.1.x or Rancher v2.0.x and v2.1.x
This document (000020226) is provided subject to the disclaimer at the end of this document.
Situation
Task
Kubernetes clusters use multiple certificates to provide both encryption of traffic to the Kubernetes components as well as authentication of these requests. These certificates are auto-generated for clusters launched by Rancher and also clusters launched by the Rancher Kubernetes Engine (RKE) CLI.
In Rancher v2.0.x and v2.1.x, the auto-generated certificates for Rancher-launched Kubernetes clusters have a validity period of one year, meaning these certificates will expire one year after the cluster is provisioned. The same applies to Kubernetes clusters provisioned by v0.1.x of the Rancher Kubernetes Engine (RKE) CLI.
If you created a Rancher-launched or RKE-provisioned Kubernetes cluster about 1 year ago, and have not already rotated the certificates, you need to rotate the certificates. If no action is taken, then when the certificates expire, the cluster will go into an error state and the Kubernetes API for the cluster will become unavailable. Rancher recommends that you rotate the certificates before they expire to avoid an unexpected service interruption. The rotation is a one time operation, and the newly-generated certificates will be valid for the next 10 years.
Pre-requisites
- A Kubernetes cluster launched by RKE CLI v0.1.x, or Rancher v2.0.x and v2.1.x
Resolution
Full details on who to rotate the certificates for the both RKE and Rancher launched clusters can be found in the Rancher blog post "Manual Rotation of Certificates in Rancher Kubernetes Clusters".
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.