-
|
Hi all We have a 3-node rke2 cluster where each node is master and agent. In addition, I have some questions: Do we need to run the certificate rotation on every node? The command only rotates all of the client certificates that are located in /var/lib/rancher/rke2/server/tls. Did not try this yet but what happens to the certificates when you perform a k8s upgrade with rke2? And last I have a recommendation. It would be nice to have a command that would output validity of all deployed certificates. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
CA cert rotation and custom CA certs are not supported in any available release. You can see the proposal at https://github.com/k3s-io/k3s/blob/master/docs/adrs/ca-cert-rotation.md - the initial implementation of this should be in the next set of releases, and docs are currently work in progress. |
Beta Was this translation helpful? Give feedback.
-
|
There is not much of a need to check the validity, as the certs are regenerated on startup if necessary. If there is any question about validity or approaching expiration, just restart the rke2 service. |
Beta Was this translation helpful? Give feedback.
-
|
Good to see that there is a proposal on CA cert rotation. What does happen when you upgrade the k8s with rke2? I assume the client certificate gets updated during the upgrade but the server does not. The reason for me being pushy on the subject is that we will install a small on-prem k8s system and live them for some time. |
Beta Was this translation helpful? Give feedback.
-
I'm not sure I'm understanding the question. Why would client certificates need updating when the version changes? |
Beta Was this translation helpful? Give feedback.
-
|
I was just wondering if that is the case. Thank you for your answers. |
Beta Was this translation helpful? Give feedback.
CA cert rotation and custom CA certs are not supported in any available release. You can see the proposal at https://github.com/k3s-io/k3s/blob/master/docs/adrs/ca-cert-rotation.md - the initial implementation of this should be in the next set of releases, and docs are currently work in progress.