Certificates rotation

juancho85

Hello,

I'm looking for some advice on the procedure of certificates rotation. I have been practicing to install a cluster from scratch with Kelsey Hightower's Kubernetes the hard way. It has been great to understand the certificates needed to build trust between components that form a Kubernetes cluster.

But consulting the official documentation about certificates rotation I 've only found this resource, which mentions only the kubelet component.

I guess that the idea of certificate rotation would be to change all af the certificates involved: controller-manager, kube-proxy, scheduler, api-server, etc.

So, my questions are:

• Are there any resources about the subject that you would recommend?
• Is there an order I should follow in the update of the components to minimize the service disruption? I imagine there will be a period where there will be communication problems because some components will be using the old certificates and some others will be using the new ones
• Say I backup the old certificates (create a copy in a different path) and replace the current files with newly generated certificates. Will I still need to restart the system units (or static pods / regular pods) that include some certificates configuration or will the configuraton be "hot" reloaded?

Thanks

chrispokorni

Hi @juancho85 ,
In order to better understand the role of the kubelet agent in the cluster, I recommend some extra reading on the role of certificates in intra-cluster communication:

https://kubernetes.io/docs/setup/best-practices/certificates/
https://kubernetes.io/docs/concepts/architecture/master-node-communication/

and the TLS bootstrapping process:

https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping/

Hoping this helps to shed some light on the kubelet's involvement in the certificate rotation process.

Regards,
-Chris