Some questions about certificates #3041

ag4544 · 2022-06-12T15:01:53Z

ag4544
Jun 12, 2022

Hi.
The documentation says: "By default, certificates in RKE2 expire in 12 months." Is it possible to set expiration date of certificates for 10 years instead of 1 year?

And another question about certificates.
There is secret "rke2-serving" in "kube-system" namespace, which contains TLS certificate (tls.crt) and it's private key (tls.key).
After executing

systemctl stop rke2-server
rke2 certificate rotate
systemctl start rke2-server

this certificate hasn't been rotated. Is it OK? What happens if this certificate would be expired?
Thanks.

Answered by Martin-Weiss

Jun 13, 2022

Regarding the lifetime of certificates - more than one year is seen as "insecure" and some browsers stopped to accept certificates with a lifetime >1 year.

View full answer

Martin-Weiss · 2022-06-13T06:52:30Z

Martin-Weiss
Jun 13, 2022
Collaborator

Regarding the lifetime of certificates - more than one year is seen as "insecure" and some browsers stopped to accept certificates with a lifetime >1 year.

3 replies

brandond Jun 13, 2022
Maintainer

There is secret "rke2-serving" in "kube-system" namespace, which contains TLS certificate (tls.crt) and it's private key (tls.key).

This certificate is dynamically regenerated at runtime in response to requests coming into the system. Its validity will be automatically extended as needed, without needing to restart any processes.

ag4544 Jun 14, 2022
Author

@brandond
Thanks for the reply. But I can't understand some things about certificate rotation.
For example, I have cluster with 3 master and 7 worker nodes and I want to rotate certificates.
Is it enough to do

systemctl stop rke2-server
rke2 certificate rotate
systemctl start rke2-server

on master nodes or I also must restart rke2-agent on worker nodes?
Should I drain and cordon worker node first before restarting rke2-agent service?
Are applications working and could they processing requests during the restart of rke2-agent service on worker nodes?

brandond Jun 14, 2022
Maintainer

on master nodes or I also must restart rke2-agent on worker nodes?

you should restart rke2-agent if you want the kubelet certs to be rotated as well.

Should I drain and cordon worker node first before restarting rke2-agent service

no, that should not be necessary, as long as your workloads can tolerate a short outage of the apiserver as things are reloaded to use the new certificates.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Some questions about certificates #3041

{{title}}

Replies: 1 comment 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Some questions about certificates #3041

ag4544 Jun 12, 2022

Replies: 1 comment · 3 replies

Martin-Weiss Jun 13, 2022 Collaborator

brandond Jun 13, 2022 Maintainer

ag4544 Jun 14, 2022 Author

brandond Jun 14, 2022 Maintainer

ag4544
Jun 12, 2022

Replies: 1 comment 3 replies

Martin-Weiss
Jun 13, 2022
Collaborator

brandond Jun 13, 2022
Maintainer

ag4544 Jun 14, 2022
Author

brandond Jun 14, 2022
Maintainer