From 3bd37231687d5a87503d0d6fbc43f8773e9c09d9 Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Tue, 22 Mar 2022 11:10:57 +0530 Subject: [PATCH 1/8] Adding content to certificate rotation sections in v2.5 and v2.6 --- .../certificate-rotation/_index.md | 69 +++++++++++++++++++ .../certificate-rotation/_index.md | 69 +++++++++++++++++++ 2 files changed, 138 insertions(+) diff --git a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md index 37aa93ed56f..44fe2820c2b 100644 --- a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md @@ -19,3 +19,72 @@ Certificates can be rotated for the following services: - kube-scheduler - kube-controller-manager + +### Certificate Rotation in Rancher v2.2.x + +_Available as of v2.2.0_ + +Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the UI. + +1. In the **Global** view, navigate to the cluster that you want to rotate certificates. + +2. Select the **⋮ > Rotate Certificates**. + +3. Select which certificates that you want to rotate. + + * Rotate all Service certificates (keep the same CA) + * Rotate an individual service and choose one of the services from the drop down menu + +4. Click **Save**. + +**Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate. + +> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters. + + +### Certificate Rotation in Rancher v2.1.x and v2.0.x + +_Available as of v2.0.14 and v2.1.9_ + +Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the API. + +1. In the **Global** view, navigate to the cluster that you want to rotate certificates. + +2. Select the **⋮ > View in API**. + +3. Click on **RotateCertificates**. + +4. Click on **Show Request**. + +5. Click on **Send Request**. + +**Results:** All Kubernetes certificates will be rotated. + +### Rotating Expired Certificates After Upgrading Older Rancher Versions + +If you are upgrading from Rancher v2.0.13 or earlier, or v2.1.8 or earlier, and your clusters have expired certificates, some manual steps are required to complete the certificate rotation. + +1. For the `controlplane` and `etcd` nodes, log in to each corresponding host and check if the certificate `kube-apiserver-requestheader-ca.pem` is in the following directory: + + ``` + cd /etc/kubernetes/.tmp + ``` + + If the certificate is not in the directory, perform the following commands: + + ``` + cp kube-ca.pem kube-apiserver-requestheader-ca.pem + cp kube-ca-key.pem kube-apiserver-requestheader-ca-key.pem + cp kube-apiserver.pem kube-apiserver-proxy-client.pem + cp kube-apiserver-key.pem kube-apiserver-proxy-client-key.pem + ``` + + If the `.tmp` directory does not exist, you can copy the entire SSL certificate to `.tmp`: + + ``` + cp -r /etc/kubernetes/ssl /etc/kubernetes/.tmp + ``` + +1. Rotate the certificates. For Rancher v2.0.x and v2.1.x, use the [Rancher API.](#certificate-rotation-in-rancher-v2-1-x-and-v2-0-x) For Rancher 2.2.x, [use the UI.](#certificate-rotation-in-rancher-v2-2-x) + +1. After the command is finished, check if the `worker` nodes are Active. If not, log in to each `worker` node and restart the kubelet and proxy. diff --git a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md index 8a70bfd34b6..aa500d52c52 100644 --- a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md @@ -19,3 +19,72 @@ Certificates can be rotated for the following services: > **Note:** For users who didn't rotate their webhook certificates, and they have expired after one year, please see this [page]({{}}/rancher/v2.6/en/troubleshooting/expired-webhook-certificates/) for help. + +### Certificate Rotation in Rancher v2.2.x + +_Available as of v2.2.0_ + +Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the UI. + +1. In the **Global** view, navigate to the cluster that you want to rotate certificates. + +2. Select the **⋮ > Rotate Certificates**. + +3. Select which certificates that you want to rotate. + + * Rotate all Service certificates (keep the same CA) + * Rotate an individual service and choose one of the services from the drop down menu + +4. Click **Save**. + +**Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate. + +> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters. + + +### Certificate Rotation in Rancher v2.1.x and v2.0.x + +_Available as of v2.0.14 and v2.1.9_ + +Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the API. + +1. In the **Global** view, navigate to the cluster that you want to rotate certificates. + +2. Select the **⋮ > View in API**. + +3. Click on **RotateCertificates**. + +4. Click on **Show Request**. + +5. Click on **Send Request**. + +**Results:** All Kubernetes certificates will be rotated. + +### Rotating Expired Certificates After Upgrading Older Rancher Versions + +If you are upgrading from Rancher v2.0.13 or earlier, or v2.1.8 or earlier, and your clusters have expired certificates, some manual steps are required to complete the certificate rotation. + +1. For the `controlplane` and `etcd` nodes, log in to each corresponding host and check if the certificate `kube-apiserver-requestheader-ca.pem` is in the following directory: + + ``` + cd /etc/kubernetes/.tmp + ``` + + If the certificate is not in the directory, perform the following commands: + + ``` + cp kube-ca.pem kube-apiserver-requestheader-ca.pem + cp kube-ca-key.pem kube-apiserver-requestheader-ca-key.pem + cp kube-apiserver.pem kube-apiserver-proxy-client.pem + cp kube-apiserver-key.pem kube-apiserver-proxy-client-key.pem + ``` + + If the `.tmp` directory does not exist, you can copy the entire SSL certificate to `.tmp`: + + ``` + cp -r /etc/kubernetes/ssl /etc/kubernetes/.tmp + ``` + +1. Rotate the certificates. For Rancher v2.0.x and v2.1.x, use the [Rancher API.](#certificate-rotation-in-rancher-v2-1-x-and-v2-0-x) For Rancher 2.2.x, [use the UI.](#certificate-rotation-in-rancher-v2-2-x) + +1. After the command is finished, check if the `worker` nodes are Active. If not, log in to each `worker` node and restart the kubelet and proxy. From a1f4adc249472a61c2b7549e7e5d45780a24e8e3 Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 10:29:23 +0530 Subject: [PATCH 2/8] Amendments made per review --- .../certificate-rotation/_index.md | 52 +------------------ .../certificate-rotation/_index.md | 52 +------------------ 2 files changed, 2 insertions(+), 102 deletions(-) diff --git a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md index 44fe2820c2b..8eba2be2765 100644 --- a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md @@ -20,9 +20,7 @@ Certificates can be rotated for the following services: - kube-controller-manager -### Certificate Rotation in Rancher v2.2.x - -_Available as of v2.2.0_ +### Certificate Rotation Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the UI. @@ -40,51 +38,3 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat **Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate. > **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters. - - -### Certificate Rotation in Rancher v2.1.x and v2.0.x - -_Available as of v2.0.14 and v2.1.9_ - -Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the API. - -1. In the **Global** view, navigate to the cluster that you want to rotate certificates. - -2. Select the **⋮ > View in API**. - -3. Click on **RotateCertificates**. - -4. Click on **Show Request**. - -5. Click on **Send Request**. - -**Results:** All Kubernetes certificates will be rotated. - -### Rotating Expired Certificates After Upgrading Older Rancher Versions - -If you are upgrading from Rancher v2.0.13 or earlier, or v2.1.8 or earlier, and your clusters have expired certificates, some manual steps are required to complete the certificate rotation. - -1. For the `controlplane` and `etcd` nodes, log in to each corresponding host and check if the certificate `kube-apiserver-requestheader-ca.pem` is in the following directory: - - ``` - cd /etc/kubernetes/.tmp - ``` - - If the certificate is not in the directory, perform the following commands: - - ``` - cp kube-ca.pem kube-apiserver-requestheader-ca.pem - cp kube-ca-key.pem kube-apiserver-requestheader-ca-key.pem - cp kube-apiserver.pem kube-apiserver-proxy-client.pem - cp kube-apiserver-key.pem kube-apiserver-proxy-client-key.pem - ``` - - If the `.tmp` directory does not exist, you can copy the entire SSL certificate to `.tmp`: - - ``` - cp -r /etc/kubernetes/ssl /etc/kubernetes/.tmp - ``` - -1. Rotate the certificates. For Rancher v2.0.x and v2.1.x, use the [Rancher API.](#certificate-rotation-in-rancher-v2-1-x-and-v2-0-x) For Rancher 2.2.x, [use the UI.](#certificate-rotation-in-rancher-v2-2-x) - -1. After the command is finished, check if the `worker` nodes are Active. If not, log in to each `worker` node and restart the kubelet and proxy. diff --git a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md index aa500d52c52..4e0e0488271 100644 --- a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md @@ -20,9 +20,7 @@ Certificates can be rotated for the following services: > **Note:** For users who didn't rotate their webhook certificates, and they have expired after one year, please see this [page]({{}}/rancher/v2.6/en/troubleshooting/expired-webhook-certificates/) for help. -### Certificate Rotation in Rancher v2.2.x - -_Available as of v2.2.0_ +### Certificate Rotation Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the UI. @@ -40,51 +38,3 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat **Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate. > **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters. - - -### Certificate Rotation in Rancher v2.1.x and v2.0.x - -_Available as of v2.0.14 and v2.1.9_ - -Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the API. - -1. In the **Global** view, navigate to the cluster that you want to rotate certificates. - -2. Select the **⋮ > View in API**. - -3. Click on **RotateCertificates**. - -4. Click on **Show Request**. - -5. Click on **Send Request**. - -**Results:** All Kubernetes certificates will be rotated. - -### Rotating Expired Certificates After Upgrading Older Rancher Versions - -If you are upgrading from Rancher v2.0.13 or earlier, or v2.1.8 or earlier, and your clusters have expired certificates, some manual steps are required to complete the certificate rotation. - -1. For the `controlplane` and `etcd` nodes, log in to each corresponding host and check if the certificate `kube-apiserver-requestheader-ca.pem` is in the following directory: - - ``` - cd /etc/kubernetes/.tmp - ``` - - If the certificate is not in the directory, perform the following commands: - - ``` - cp kube-ca.pem kube-apiserver-requestheader-ca.pem - cp kube-ca-key.pem kube-apiserver-requestheader-ca-key.pem - cp kube-apiserver.pem kube-apiserver-proxy-client.pem - cp kube-apiserver-key.pem kube-apiserver-proxy-client-key.pem - ``` - - If the `.tmp` directory does not exist, you can copy the entire SSL certificate to `.tmp`: - - ``` - cp -r /etc/kubernetes/ssl /etc/kubernetes/.tmp - ``` - -1. Rotate the certificates. For Rancher v2.0.x and v2.1.x, use the [Rancher API.](#certificate-rotation-in-rancher-v2-1-x-and-v2-0-x) For Rancher 2.2.x, [use the UI.](#certificate-rotation-in-rancher-v2-2-x) - -1. After the command is finished, check if the `worker` nodes are Active. If not, log in to each `worker` node and restart the kubelet and proxy. From cdc4c4ec3fc250d9cff043fbe81b51389bc8f82b Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 20:33:17 +0530 Subject: [PATCH 3/8] Update content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md Co-authored-by: Jen Travinski --- .../v2.5/en/cluster-admin/certificate-rotation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md index 8eba2be2765..46addbdd478 100644 --- a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md @@ -26,7 +26,7 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat 1. In the **Global** view, navigate to the cluster that you want to rotate certificates. -2. Select the **⋮ > Rotate Certificates**. +2. Select **⋮ > Rotate Certificates**. 3. Select which certificates that you want to rotate. From 7ef2fafc8fd662cb3d67a52e6c3fa0e3f1ed471d Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 20:33:31 +0530 Subject: [PATCH 4/8] Update content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md Co-authored-by: Jen Travinski --- .../v2.5/en/cluster-admin/certificate-rotation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md index 46addbdd478..b6ef8802966 100644 --- a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md @@ -31,7 +31,7 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat 3. Select which certificates that you want to rotate. * Rotate all Service certificates (keep the same CA) - * Rotate an individual service and choose one of the services from the drop down menu + * Rotate an individual service and choose one of the services from the drop-down menu 4. Click **Save**. From 49d8476b782186e950e7f2c033fabef778c77f32 Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 20:33:51 +0530 Subject: [PATCH 5/8] Update content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md Co-authored-by: Jen Travinski --- .../v2.5/en/cluster-admin/certificate-rotation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md index b6ef8802966..168a7e4094b 100644 --- a/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.5/en/cluster-admin/certificate-rotation/_index.md @@ -37,4 +37,4 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat **Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate. -> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters. +> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher launched Kubernetes clusters. From c9fb52b8c79b7d4b043f2100525964d42b55a93a Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 20:34:02 +0530 Subject: [PATCH 6/8] Update content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md Co-authored-by: Jen Travinski --- .../v2.6/en/cluster-admin/certificate-rotation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md index 4e0e0488271..1e1d4b11681 100644 --- a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md @@ -26,7 +26,7 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat 1. In the **Global** view, navigate to the cluster that you want to rotate certificates. -2. Select the **⋮ > Rotate Certificates**. +2. Select **⋮ > Rotate Certificates**. 3. Select which certificates that you want to rotate. From e8076b5746c55e2481b963b7bf7a5d70c6cc94b7 Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 20:34:16 +0530 Subject: [PATCH 7/8] Update content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md Co-authored-by: Jen Travinski --- .../v2.6/en/cluster-admin/certificate-rotation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md index 1e1d4b11681..2f22c2d859f 100644 --- a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md @@ -31,7 +31,7 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat 3. Select which certificates that you want to rotate. * Rotate all Service certificates (keep the same CA) - * Rotate an individual service and choose one of the services from the drop down menu + * Rotate an individual service and choose one of the services from the drop-down menu 4. Click **Save**. From 6720d564e878341ab4e9c474504501ff832c192f Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 23 Mar 2022 20:34:26 +0530 Subject: [PATCH 8/8] Update content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md Co-authored-by: Jen Travinski --- .../v2.6/en/cluster-admin/certificate-rotation/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md index 2f22c2d859f..664af10b1fc 100644 --- a/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md +++ b/content/rancher/v2.6/en/cluster-admin/certificate-rotation/_index.md @@ -37,4 +37,4 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat **Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate. -> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters. +> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher launched Kubernetes clusters.