Kubernetes Certificate Management
By default, all Kubernetes clusters created by HPE Ezmeral Runtime Enterprise have:
- A certificate authority with a 10-year life span.
- Client certificates with a 1-year life span.
Kubernetes cluster certificates are created with a one-year duration. If the certificates are allowed to expire, the cluster will become unuseable until the certificates are manually re-generated.
To prevent this situation from occurring, about a month prior to the expiration of the certificate, contact Hewlett Packard Enterprise support for assistance with generating new certificates.
Viewing the Expiration Dates of Certificates
To view the expiration dates of both your CA and the certificate license, execute the following command:
kubeadm alpha certs check-expirationFor example:
kubeadm alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system getr cm kubeadmin -oyaml' CERTIFICATE ESPIRES RESIDUAL TIME CERT AUTHORITY EXT. MANAGED admin.conf Aug 29, 2021 00:32 UTC 345d 345d no apiserver Aug 29, 2021 00:32 UTC 345d 345d ca no apiserver-etcd-client Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no apiserver-khbelet-client Aug 29, 2021 00:32 UTC 345d 345d ca no controller-manager.conf Aug 29, 2021 00:32 UTC 345d 345d no etcd-healthcheck-client Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no etcd-peer Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no front-proxy-client Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no scheduler.conf Aug 29, 2021 00:32 UTC 345d 345d front-proxy-ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca AUG 27,2030 00:22 UTC 9y no etcd-ca AUG 27,2030 00:22 UTC 9y no front-proxy-ca AUG 27,2030 00:22 UTC 9y no# kubeadmin alpha certs check-expiration [check-expiration] Reading configuration from the cluster... [check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system getr cm kubeadmin -oyaml' CERTIFICATE EXPIRES RESIDUAL TIME CERT AUTHORITY EXT. MANAGED admin.conf Aug 29, 2021 00:32 UTC 345d 345d no apiserver Aug 29, 2021 00:32 UTC 345d 345d ca no apiserver-etcd-client Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no apiserver-khbelet-client Aug 29, 2021 00:32 UTC 345d 345d ca no controller-manager.conf Aug 29, 2021 00:32 UTC 345d 345d no etcd-healthcheck-client Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no etcd-peer Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no front-proxy-client Aug 29, 2021 00:32 UTC 345d 345d etcd-ca no scheduler.conf Aug 29, 2021 00:32 UTC 345d 345d front-proxy-ca no CERTIFICATE AUTHORITY EXPIRES RESIDUAL TIME EXTERNALLY MANAGED ca AUG 27,2030 00:22 UTC 9y no etcd-ca AUG 27,2030 00:22 UTC 9y no front-proxy-ca AUG 27,2030 00:22 UTC 9y no
Renewing a Certificate
If the certificates are allowed to expire, the cluster will become unuseable until the certificates are manually re-generated.
About one month prior to the expiration of the certificate, contact Hewlett Packard Enterprise support for assistance with generating new certificates.
Certificate Authority (CA) Rotation
HPE Ezmeral Runtime Enterprise does not provide an automated method of rotating or replacing CA certificates. To manually rotate or replace CA certificates, see Manual Rotation of CA Certificates in the Kubernetes documentation (link opens an external website in a new browser tab or window).
When creating Kubernetes clusters, you can provide custom or external CA certificates and keys. HPE Ezmeral Runtime Enterprise uses kubeadm for initialization. The CA certificate and key that you provide during cluster initialization are written to the locations specified in Certificate Management with kubeadm in the Kubernetes documentation (link opens an external website in a new browser tab or window).
HPE Ezmeral Runtime Enterprise does not support the use of external CA certificates without keys.