1

I am trying to find information about how to monitor internal Kubernetes certificates for expiry. I previously ran into an issue where the certificates expired and my services could no longer communicate, forcing me to rebuild the cluster.

Now I'm trying to make sure that does not happen (I have a custom cluster), but whatever I search for just shows results for external SSL certificates on any website you may host on Kubernetes, but that's not what I'm looking for.

I'm not using kubeadm, and the cluster is built using Kops on AWS.

Helge Talvik Söderström
  • 161
  • 6

1 Answers1

1

Based on the resources listed below, I'd say the best solution would be to update kops and its cluster to the recent version. It contains the new version of etcd-manager, and its version >= 3.0.20200428 manages certificate lifecycle and will automatically request new certificates before expiration.

  1. Upgrade to kOps 1.15.3, 1.16.2, 1.17.0-beta.2, or 1.18.0-alpha.3. This is the recommended approach. Follow the normal steps when upgrading kOps and confirm the etcd-manager image will be updated based on the output of kops update cluster.
kops rolling-update cluster --instance-group-roles=Master --cloudonly
  1. Another solution is to override the etcd-manager image in the ClusterSpec. The image will be set in two places, one for each etcdCluster (main and events).
# Set `spec.etcdClusters[*].manager.image` to `kopeio/etcd-manager:3.0.20200428`
kops update cluster # confirm the image is being updated
kops update cluster --yes
kops rolling-update cluster --instance-group-roles=Master --force --cloudonly

Resources:

VAS
  • 370
  • 1
  • 9
  • etcd is just one in many Kubernetes components. Sounds like rotating them all is still in their TODO : https://github.com/kubernetes/kops/issues/1020 – SYN Mar 12 '21 at 13:29