|
| 1 | +## Automatically rotating certificates using Kubeadm Control Plane provider |
| 2 | + |
| 3 | +When using Kubeadm Control Plane provider (KCP) it is possible to configure automatic certificate rotations. KCP does this by triggering a rollout when the certificates on the machines are about to expire. |
| 4 | + |
| 5 | +### Configuring Machine Rollout |
| 6 | + |
| 7 | +To configure a rollout on the KCP machines you need to set `.rolloutBefore.certificatesExpiryDays` (minimum of 7 days). |
| 8 | + |
| 9 | +Example: |
| 10 | +```yaml |
| 11 | +apiVersion: controlplane.cluster.x-k8s.io/v1beta1 |
| 12 | +kind: KubeadmControlPlane |
| 13 | +metadata: |
| 14 | + name: example-control-plane |
| 15 | +spec: |
| 16 | + rolloutBefore: |
| 17 | + certificatesExpiryDays: 21 # trigger a rollout if certificates expire within 21 days |
| 18 | + kubeadmConfigSpec: |
| 19 | + clusterConfiguration: |
| 20 | + ... |
| 21 | + initConfiguration: |
| 22 | + ... |
| 23 | + joinConfiguration: |
| 24 | + ... |
| 25 | + machineTemplate: |
| 26 | + infrastructureRef: |
| 27 | + ... |
| 28 | + replicas: 1 |
| 29 | + version: v1.23.3 |
| 30 | +``` |
| 31 | +
|
| 32 | +TODO: Add a few lines on recommendations to set the `certificatesExpiryDays` to a big value so that all the machines will have time to completely rollout. |
| 33 | + |
| 34 | +### Calculating Certificate Expiry |
| 35 | + |
| 36 | +KCP uses the value in the corresponding Control Plane machine's `Machine.Status.CertificatesExpiryDate` to check if a machine's certificates are going to expire and if it needs to be rolled out. |
| 37 | + |
| 38 | +`Machine.Status.CertificatesExpiryDate` get its value from one of the following 2 places: |
| 39 | + |
| 40 | +* `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the Machine object |
| 41 | +* `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the Bootstrap Config object of the corresponding object |
| 42 | + |
| 43 | +The annotation value is a [RFC3339] format timestamp. The annotation value on the machine object, if provided, will take precedence. |
| 44 | + |
| 45 | +#### Certificate Expiry from Kubeadm Bootstrap Config |
| 46 | + |
| 47 | +When KubeadmConfig creates the bootstrap data secret for the first time it captures 1 year from the reconciliation time and store it as the `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the KubeadmConfig object. We chose 1 year from the reconciliation time because kubeadm is hard-coded to generate machine certificates that are valid for one year. |
| 48 | + |
| 49 | +<aside class="note warning"> |
| 50 | + |
| 51 | +<h1> Approximate Certificate Expiry Time </h1> |
| 52 | + |
| 53 | +The time captured in the KubeadmConfig annotation is an approximate time at which the machine certificates will expire. Since the Kubeadm data secret is generated before is is used by kubeadm to generate the certificates the time captured in the annotation will be a little early than the actual certificate expiry time. |
| 54 | +Since the difference in this time will be very small compared to the lifetime of the certificate it should not affect the certificate renewal rollout in any significant way. |
| 55 | + |
| 56 | +</aside> |
| 57 | + |
| 58 | +<!-- links --> |
| 59 | +[RFC3339]: https://www.ietf.org/rfc/rfc3339.txt |
0 commit comments