ee2848e5fa
Updated output Editorial fixes Merged sections Fixed typos and indentation Updated sections titles Reordered sections in index Fixed minor grammar issues Added alarms exception Described syntax of subject and expiry_date in example Added references Replaced K8s for Kubernetes Story: 2008675 Task: 42625 Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I178fe9747c558d13c05b5cf61271fcaff59f6c26
1.5 KiB
Update/Renew Kubernetes Certificates
Updating Kubernetes Root certificate is a complex process, because it is not only the Root certificate that needs to be updated, but also all the other Kubernetes certificates signed by it need to be regenerated and updated.
See Manual Kubernetes Root CA Certificate Update
<manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9>
or Kubernetes Root CA Certificate Update Cloud Orchestration
<kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d>
for how to update the Kubernetes Root certificate.
The other leaf certificates generated from the Kubernetes Root are monitored by a cronjob, which runs every day at midnight to check if any of these certificates’ expiry date is approaching, and renew them if the expiry date is within 15 days.
If the renewal fails, a 250.003 alarm will be raised:
Kubernetes certificates have been renewed but not all services have been updated.
For this alarm, controller nodes need to lock/unlock for the services to take the new certificates.
Kubernetes certificates renewal failed.
For this alarm, the Kubernetes certificates need to be renewed manually, during which services need to restart.
If this alarm is raised, the administrator should follow the recommended action for the specific alarm.