Certificates
less than a minute
PKI certificates management
TLS certificates in a cluster
It's possible to regenerate Kubernetes control plane certificates with LambdaStack. To do so, additional configuration should be specified.
kind: configuration/kubernetes-master
title: "Kubernetes Control Plane Config"
name: default
provider: <provider>
specification:
advanced:
certificates:
expiration_days: <int>
renew: true
Parameters (optional):
- expiration_days - days to expire in, default value is
365 - renew - whether to renew certificates or not, default value is
false
NOTE
Usage of values greater than 24855 for expiration_days is not possible.
For more information see discussion about that.
When lscly apply executes, if renew option is set to true, following certificates will be renewed with expiration period defined by expiration_days:
- admin.conf
- apiserver
- apiserver-etcd-client
- apiserver-kubelet-client
- controller-manager.conf
- etcd-healthcheck-client
- etcd-peer
- etcd-server
- front-proxy-client
- scheduler.conf
NOTE
kubelet.conf is not renewed because kubelet is configured for automatic certificate renewal.
To verify that, navigate to /var/lib/kubelet/ and check config.yaml file, where rotateCertificates setting is true by default.
CA certificates rotation
This part cannot be done by LambdaStack. Refer to official Kubernetes documentation to perform this task.
References
- Best practices
- Certificates management by kubeadm
- Kubernetes the hard way
- Certificates generation with cfssl
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.