Skip to main content

Certificate Management

Palette installs Kubernetes through the tool, kubeadm. As a result, all deployed clusters include auto-generated Public Key Infrastructure (PKI) certificates created by kubeadm. We recommend you review the PKI certificates and requirement Kubernetes documentation to learn more about the auto-generated certificates and to better understand their purpose.

This reference page focuses on how to renew the PKI certificates through Palette. You have two options for how you can renew the cluster PKI certificates:


  • Automatic Certificate Renewal

  • Manual Certificate Renewal

info

Certificates created by kubeadm expire after 365 days. The Root Certificate Authority (CA) is valid for 3652 days or 10 years.

You can learn more about each option in the following sections.

Automatic Certificate Renewal

Palette will automatically update the cluster PKI certificates 30 days before they expire. The automatic renewal process will not cause a cluster repave. The automatic renewal process will only renew the certificates for the control plane nodes.

Another scenario that results in new PKI certificates is upgrading a cluster's Kubernetes version. Upgrading a cluster's Kubernetes version, whether a minor patch or a major release, results in renewed PKI certificates. We recommend regularly updating your clusters to stay current with security fixes and best practices.


info

You can upgrade the Kubernetes version of a cluster by updating the Kubernetes layer of the cluster profile and applying the cluster profile update to the cluster. For guidelines on updating pack versions, review Update the Pack Version.

Manual Certificate Renewal

You can renew the cluster PKI certificates on-demand using the Palette API or the Palette User Interface (UI). Palette uses the same process to renew the cluster PKI certificates as the automatic renewal process. The only difference is that the manual renewal is triggered by the user.

Review the following sections to learn how to manually renew the cluster PKI certificates. Choose your preferred update method, using the Palette UI or the API.

Prerequisites

  • A deployed host cluster.

  • Access to the host cluster.

Renew Cluster Certificate

  1. Log in to Palette.

  2. Navigate to the left Main Menu and select Clusters.

  3. Select the host cluster to renew its PKI certificates.

  4. From the cluster details page, click on View K8s Certificates.


A view of the Palette UI with an arrow pointing to the View K8s Certificates button.

  1. Next, select Renew All to start the renewal process.

A view of the cluster certificates displaying the expiration date

The renewal process may take several minutes, depending on the number of cluster nodes.

Validate

Using the following steps, you can validate that the cluster's PKI certificates were renewed.


  1. Log in to Palette.

  2. Navigate to the left Main Menu and select Clusters.

  3. Select the host cluster with the renewed PKI certificates.

  4. From the cluster details page, click on View K8s Certificates.

  5. Review the expiration date for each component. Each component's expiration date will have a status of 365d with a date that is one year away.


Advanced - Only Renew Control Plane Nodes

You can configure Palette to only renew the PKI certificates for the control plane nodes. You can achieve this by using the annotation spectrocloud.com/cert-renew-controlplane-only and setting the value to true. To enable this behavior, you must use kubectl and apply the update to a Custom Resource Definition (CRD) created by Palette during the cluster deployment process.

Use the following steps to configure Palette only to renew the certificates for control plane nodes.

Prerequisites

  • Kubectl is installed in your system.

  • A host cluster deployed.

  • Access to the host cluster's kubeconfig file. Refer to the Access Cluster with CLI guide to learn how to use your cluster's kubeconfig file.

Configure Cluster

  1. Set your cluster name as an environment variable. Add your cluster's name in place of REPLACE_ME.

export CLUSTER_NAME=REPLACE_ME
  1. Use the following command to retrieve the namespace of the CRD Palette created in your cluster.

namespace=$(kubectl get spc --all-namespaces --output jsonpath='{range .items[?(@.metadata.name=="'"$CLUSTER_NAME"'")]}{.metadata.namespace}{"\n"}{end}')
  1. Use kubectl to update the CRD to include the spectrocloud.com/cert-renew-controlplane-only annotation.

kubectl annotate spc/certificate-renew --namespace $namespace spectrocloud.com/cert-renew-controlplane-only="true"
  1. Verify the annotation was set correctly with the command below. The expected output is true.

kubectl get spc/$CLUSTER_NAME --namespace $(kubectl get spc --all-namespaces --output jsonpath='{range .items[?(@.metadata.name=="'"$CLUSTER_NAME"'")]}{.metadata.namespace}{"\n"}{end}') --output jsonpath='{.metadata.annotations.spectrocloud\.com/cert-renew-controlplane-only}'

Output

true
  1. Next, trigger a certificate renewal using either Automatic Certificate Renewal or Manual Certificate Renewal.

The renewal process may take several minutes, depending on the number of cluster nodes.

Validate

Using the following steps, you can validate that the cluster's PKI certificates are renewed only for the control plane nodes.


  1. Log in to Palette.

  2. Navigate to the left Main Menu and select Clusters.

  3. Select the host cluster to renew its PKI certificates.

  4. From the cluster details page, click on View K8s Certificates.

  5. Review the expiration date for each component. Each component's expiration date will have a status of 365d with a date that is one year away.

  6. Navigate to the Nodes tab and verify the Worker Pool nodes' Age is not updated recently.


View of the cluster nodes where only the control plane nodes are modified