starlingx/docs
Code Issues Proposed changes
Files
a48054de51cbb94b64329deb0c30c859bcb1030b
docs/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst
Elisamara Aoki Gonçalves 24a3589fe9 kube-root-ca-update strategy is failing for DX subcloud when rook-ceph is configured (r10,dsR10minor) 
Add information to a warning.

Closes-bug: 2111751

Change-Id: I16686d8b9dacc3ab8a981fc14ed75d36574feed0
Signed-off-by: Elisamara Aoki Gonçalves <elisamaraaoki.goncalves@windriver.com>
2025-06-06 18:46:49 +00:00

5.4 KiB
Raw Blame History

Kubernetes Root CA Certificate Update Cloud Orchestration

You can update Kubernetes Root certificate on a running system, with either an uploaded certificate or an auto generated certificate.

Warning

Do not let the Kubernetes Root certificate expire on your system and ensure that certificates with valid/adequate expiry dates are used during renewal as there is no easy way to recover a system if the Kubernetes Root certificate expires.

Special care should be taken when updating the Root certificate.

Warning

During the Kubernetes Root update, deployments, daemonsets, and statefulsets present in the cluster are rolling restarted. If updateStrategy is OnDelete, then its pods are deleted. This impacts services provided by the application. It is highly recommended to schedule a Kubernetes Root update during planned maintenance windows.

  • The system is clear of alarms (with the exception of alarms for locked hosts, stopped instances, certificate expiring soon, certificate expired, and Kubernetes root ca update in progress).
  • All hosts must be unlocked, enabled and available.
  • All Kubernetes pods must be ready.
  • Cert-manager app is applied.
  • A file containing a self-signed certificate and corresponding private key if choose to upload a new Root certificate.

Before starting the update, it is highly recommended to backup the existing Kubernetes Root certificate and key, i.e. /etc/kubernetes/pki/ca.crt and /etc/kubernetes/pki/ca.key.

  1. Create the strategy.

    ~(keystone_admin)$ sw-manager kube-rootca-update-strategy create --subject "C=CA ST=ON L=OTT O=WR OU=STX CN=STX" --expiry-date YYYY-MM-DD

Strategy Kubernetes RootCA Update Strategy:
strategy-uuid: 47163c5b-44ac-432a-bd25-6e5c353046e9
controller-apply-type: serial
storage-apply-type: serial
worker-apply-type: serial
default-instance-action: stop-start
alarm-restrictions: strict
current-phase: build
current-phase-completion: 0%
state: building
inprogress: true
    ~(keystone_admin)$ sw-manager kube-rootca-update-strategy create --cert-file some_cert.pem

strategy-uuid: 9575f1ea-4d66-4f13-8013-b04c2f420eff
controller-apply-type: serial
storage-apply-type: serial
worker-apply-type: serial
default-instance-action: stop-start
alarm-restrictions: strict
current-phase: build
current-phase-completion: 0%
state: building
inprogress: true

    --expiry-date

    Optional argument to specify the expiry date of the new certificate. It has to be in the "YYYY-MM-DD" format. If not specified, the new certificate will have the same valid period as the existing one (normally 10 years).

    --subject

    Optional argument to specify the distinguished name of the new certificate. It has to be in the format C=<Country> ST=<State/Province> L=<Locality> O=<Organization> OU=<OrganizationUnit> CN=<commonName>. If not specified, the new certificate will have "Kubernetes" as default.

    --cert-file

    Optional argument to upload a self-signed certificate as the new Root certificate.

    Note

    Passing --cert-file uses an existing certificate, but --expiry-date and --subject generate a certificate. Using an existing certificate will ignore any arguments to generate a certificate.

    Note

    Ensure the certificates have RSA key length >= 2048 bits. The Release provides a new version of openssl which requires a minimum of 2048-bit keys for RSA for better security / encryption strength.

    You can check the key length by running openssl x509 -in <the certificate file> -noout -text and looking for the "Public-Key" in the output. For more information see Create Certificates Locally using openssl <create-certificates-locally-using-openssl>.

  2. Apply the strategy.

    sw-manager kube-rootca-update-strategy apply

  3. Show the status of the update strategy.

    ~(keystone_admin)$ sw-manager kube-rootca-update-strategy show

Strategy Kubernetes RootCA Update Strategy:
strategy-uuid: 47163c5b-44ac-432a-bd25-6e5c353046e9
controller-apply-type: serial
storage-apply-type: serial
worker-apply-type: serial
default-instance-action: stop-start
alarm-restrictions: strict
current-phase: build
current-phase-completion: 100%
state: ready-to-apply
build-result: success
build-reason:

    Note

    Passing --details will show all the internal steps and stages for the orchestration strategy.

    Passing --active will show which step is currently running for the orchestration strategy.

  4. If you want to delete the strategy.

    ~(keystone_admin)$ sw-manager kube-rootca-update-strategy delete

Strategy deleted