Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cert rotation for RKE2 #4087

Merged
merged 1 commit into from
May 12, 2022
Merged

Update cert rotation for RKE2 #4087

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 39 additions & 7 deletions content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ By default, Kubernetes clusters require certificates and Rancher launched Kubern

Certificates can be rotated for the following services:

{{% tabs %}}
{{% tab "RKE" %}}

- etcd
- kubelet (node certificate)
- kubelet (serving certificate, if [enabled]({{<baseurl>}}/rke/latest/en/config-options/services/#kubelet-options))
Expand All @@ -17,24 +20,53 @@ Certificates can be rotated for the following services:
- kube-scheduler
- kube-controller-manager

{{% /tab %}}
{{% tab "RKE2" %}}

- admin
- api-server
- controller-manager
- scheduler
- rke2-controller
- rke2-server
- cloud-controller
- etcd
- auth-proxy
- kubelet
- kube-proxy

{{% /tab %}}
{{% /tabs %}}

> **Note:** For users who didn't rotate their webhook certificates, and they have expired after one year, please see this [page]({{<baseurl>}}/rancher/v2.6/en/troubleshooting/expired-webhook-certificates/) for help.


### Certificate Rotation

Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the UI.

1. In the **Global** view, navigate to the cluster that you want to rotate certificates.

2. Select **⋮ > Rotate Certificates**.

3. Select which certificates that you want to rotate.
1. In the upper left corner, click **☰ > Cluster Management**.
1. On the **Clusters** page, go to the cluster you want to rotate certificates for amd click **⋮ > Rotate Certificates**.
1. Select which certificates that you want to rotate.

* Rotate all Service certificates (keep the same CA)
* Rotate an individual service and choose one of the services from the drop-down menu

4. Click **Save**.
1. Click **Save**.

**Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate.

> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher launched Kubernetes clusters.
### Additional Notes

{{% tabs %}}
{{% tab "RKE" %}}

Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher launched Kubernetes clusters.

{{% /tab %}}
{{% tab "RKE2" %}}

In RKE2, both etcd and control plane nodes are treated as the same `server` concept. As such, when rotating certificates of services specific to either of these components will result in certificates being rotated on both. The certificates will only change for the specified service, but you will see nodes for both components go into an updating state. You may also see worker only nodes go into an updating state. This is to restart the workers after a certificate change to ensure they get the latest client certs.

{{% /tab %}}
{{% /tabs %}}