From 4e1ae95bc2e8516203562127121976aa4e235e1f Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Wed, 30 Jul 2025 16:57:16 -0700 Subject: [PATCH 1/2] rm RKE1 references: rotate-certificates --- .../manage-clusters/rotate-certificates.md | 30 +------------------ .../manage-clusters/rotate-certificates.md | 30 +------------------ .../manage-clusters/rotate-certificates.md | 30 +------------------ .../manage-clusters/rotate-certificates.md | 30 +------------------ 4 files changed, 4 insertions(+), 116 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md b/docs/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md index 6f1010ff99c..259fcecbcf6 100644 --- a/docs/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md +++ b/docs/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md @@ -16,20 +16,6 @@ By default, Kubernetes clusters require certificates and Rancher launched Kubern Certificates can be rotated for the following services: - - - -- etcd -- kubelet (node certificate) -- kubelet (serving certificate, if [enabled](https://rancher.com/docs/rke/latest/en/config-options/services/#kubelet-options)) -- kube-apiserver -- kube-proxy -- kube-scheduler -- kube-controller-manager - - - - - admin - api-server - controller-manager @@ -42,9 +28,6 @@ Certificates can be rotated for the following services: - kubelet - kube-proxy - - - :::note For users who didn't rotate their webhook certificates, and they have expired after one year, please see this [page](../../../troubleshooting/other-troubleshooting-tips/expired-webhook-certificate-rotation.md) for help. @@ -68,15 +51,4 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat ### Additional Notes - - - -Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher launched Kubernetes clusters. - - - - -In RKE2, both etcd and control plane nodes are treated as the same `server` concept. As such, when rotating certificates of services specific to either of these components will result in certificates being rotated on both. The certificates will only change for the specified service, but you will see nodes for both components go into an updating state. You may also see worker only nodes go into an updating state. This is to restart the workers after a certificate change to ensure they get the latest client certs. - - - +In RKE2/K3s, both etcd and control plane nodes are treated as the same `server` concept. As such, when rotating certificates of services specific to either of these components will result in certificates being rotated on both. The certificates will only change for the specified service, but you will see nodes for both components go into an updating state. You may also see worker only nodes go into an updating state. This is to restart the workers after a certificate change to ensure they get the latest client certs. diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md index be1431337b7..e231727abbd 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md @@ -12,20 +12,6 @@ title: 证书轮换 可以为以下服务轮换证书: - - - -- etcd -- kubelet(节点证书) -- kubelet(服务证书,如果[启用](https://rancher.com/docs/rke/latest/en/config-options/services/#kubelet-options)) -- kube-apiserver -- kube-proxy -- kube-scheduler -- kube-controller-manager - - - - - admin - api-server - controller-manager @@ -38,9 +24,6 @@ title: 证书轮换 - kubelet - kube-proxy - - - :::note 如果你未轮换 webhook 证书,且证书用了一年后已经过期,请参阅此[页面](../../../troubleshooting/other-troubleshooting-tips/expired-webhook-certificate-rotation.md)。 @@ -64,15 +47,4 @@ Rancher 启动的 Kubernetes 集群能够通过 UI 轮换自动生成的证书 ## 补充说明 - - - -虽然 RKE CLI 可以为 Kubernetes 集群组件使用自定义证书,但 Rancher 目前不允许在 Rancher 启动的 Kubernetes 集群中上传这些证书。 - - - - -在 RKE2 中,etcd 和 controlplane 节点都被视为相同的 `server`。因此,如果你轮换其中一个组件的服务证书,则两者的证书都会被轮换。证书只会针对指定的服务更改,但你会看到两个组件的节点都进入更新状态。你可能还会看到仅 Worker 节点进入更新状态。这是在证书更改后重启 Worker,以确保他们获得最新的客户端证书。 - - - +在 RKE2/K3s 中,etcd 和 controlplane 节点都被视为相同的 `server`。因此,如果你轮换其中一个组件的服务证书,则两者的证书都会被轮换。证书只会针对指定的服务更改,但你会看到两个组件的节点都进入更新状态。你可能还会看到仅 Worker 节点进入更新状态。这是在证书更改后重启 Worker,以确保他们获得最新的客户端证书。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md index be1431337b7..e231727abbd 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md @@ -12,20 +12,6 @@ title: 证书轮换 可以为以下服务轮换证书: - - - -- etcd -- kubelet(节点证书) -- kubelet(服务证书,如果[启用](https://rancher.com/docs/rke/latest/en/config-options/services/#kubelet-options)) -- kube-apiserver -- kube-proxy -- kube-scheduler -- kube-controller-manager - - - - - admin - api-server - controller-manager @@ -38,9 +24,6 @@ title: 证书轮换 - kubelet - kube-proxy - - - :::note 如果你未轮换 webhook 证书,且证书用了一年后已经过期,请参阅此[页面](../../../troubleshooting/other-troubleshooting-tips/expired-webhook-certificate-rotation.md)。 @@ -64,15 +47,4 @@ Rancher 启动的 Kubernetes 集群能够通过 UI 轮换自动生成的证书 ## 补充说明 - - - -虽然 RKE CLI 可以为 Kubernetes 集群组件使用自定义证书,但 Rancher 目前不允许在 Rancher 启动的 Kubernetes 集群中上传这些证书。 - - - - -在 RKE2 中,etcd 和 controlplane 节点都被视为相同的 `server`。因此,如果你轮换其中一个组件的服务证书,则两者的证书都会被轮换。证书只会针对指定的服务更改,但你会看到两个组件的节点都进入更新状态。你可能还会看到仅 Worker 节点进入更新状态。这是在证书更改后重启 Worker,以确保他们获得最新的客户端证书。 - - - +在 RKE2/K3s 中,etcd 和 controlplane 节点都被视为相同的 `server`。因此,如果你轮换其中一个组件的服务证书,则两者的证书都会被轮换。证书只会针对指定的服务更改,但你会看到两个组件的节点都进入更新状态。你可能还会看到仅 Worker 节点进入更新状态。这是在证书更改后重启 Worker,以确保他们获得最新的客户端证书。 diff --git a/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md b/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md index 6f1010ff99c..259fcecbcf6 100644 --- a/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md +++ b/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-certificates.md @@ -16,20 +16,6 @@ By default, Kubernetes clusters require certificates and Rancher launched Kubern Certificates can be rotated for the following services: - - - -- etcd -- kubelet (node certificate) -- kubelet (serving certificate, if [enabled](https://rancher.com/docs/rke/latest/en/config-options/services/#kubelet-options)) -- kube-apiserver -- kube-proxy -- kube-scheduler -- kube-controller-manager - - - - - admin - api-server - controller-manager @@ -42,9 +28,6 @@ Certificates can be rotated for the following services: - kubelet - kube-proxy - - - :::note For users who didn't rotate their webhook certificates, and they have expired after one year, please see this [page](../../../troubleshooting/other-troubleshooting-tips/expired-webhook-certificate-rotation.md) for help. @@ -68,15 +51,4 @@ Rancher launched Kubernetes clusters have the ability to rotate the auto-generat ### Additional Notes - - - -Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher launched Kubernetes clusters. - - - - -In RKE2, both etcd and control plane nodes are treated as the same `server` concept. As such, when rotating certificates of services specific to either of these components will result in certificates being rotated on both. The certificates will only change for the specified service, but you will see nodes for both components go into an updating state. You may also see worker only nodes go into an updating state. This is to restart the workers after a certificate change to ensure they get the latest client certs. - - - +In RKE2/K3s, both etcd and control plane nodes are treated as the same `server` concept. As such, when rotating certificates of services specific to either of these components will result in certificates being rotated on both. The certificates will only change for the specified service, but you will see nodes for both components go into an updating state. You may also see worker only nodes go into an updating state. This is to restart the workers after a certificate change to ensure they get the latest client certs. From 67a549b2896755880a10a66427d184ce5d4adce8 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Wed, 30 Jul 2025 17:01:24 -0700 Subject: [PATCH 2/2] rm RKE1 references: rotate-encryption-key --- .../manage-clusters/rotate-encryption-key.md | 37 ++----------------- .../manage-clusters/rotate-encryption-key.md | 37 ++----------------- .../manage-clusters/rotate-encryption-key.md | 37 ++----------------- .../manage-clusters/rotate-encryption-key.md | 37 ++----------------- 4 files changed, 16 insertions(+), 132 deletions(-) diff --git a/docs/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md b/docs/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md index 5d56f2c60aa..59d1eed2fac 100644 --- a/docs/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md +++ b/docs/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md @@ -6,39 +6,11 @@ title: Encryption Key Rotation -### RKE1 Encryption Key Rotation +:::note Important -1. Enable encryption key rotation with either of the following two options: +Encryption key rotation is enabled by default and cannot be disabled. - - Select the `Enabled` radio button in the Rancher UI under **Cluster Options > Advanced Options > Secrets Encryption**: - - ![Enable Encryption Key Rotation](/img/rke1-enable-secrets-encryption.png) - - - OR, apply the following YAML: - - ```yaml - rancher_kubernetes_engine_config: - services: - kube_api: - secrets_encryption_config: - enabled: true - ``` - -2. Rotate keys in the Rancher UI: - - 2.1. Click **☰ > Cluster Management**. - - 2.2. Select **⋮ > Rotate Encryption Keys** on the far right of the screen next to your chosen cluster: - - ![Encryption Key Rotation](/img/rke1-encryption-key.png) - - - -### RKE2 Encryption Key Rotation - -_**New in v2.6.7**_ - ->**Important:** Encryption key rotation is enabled by default and cannot be disabled. +::: To rotate keys in the Rancher UI: @@ -48,5 +20,4 @@ To rotate keys in the Rancher UI: ![Encryption Key Rotation](/img/rke2-encryption-key.png) - ->**Note:** For more information on RKE2 secrets encryption config, please see the [RKE2 docs](https://docs.rke2.io/security/secrets_encryption). \ No newline at end of file +>**Note:** For more information on RKE2 secrets encryption config, please see the [RKE2 docs](https://docs.rke2.io/security/secrets_encryption). diff --git a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md index b8c52cf70c5..f05c3b9d4d9 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md +++ b/i18n/zh/docusaurus-plugin-content-docs/current/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md @@ -2,39 +2,11 @@ title: 加密密钥轮换 --- -## RKE1 加密密钥轮换 +:::note 重要 -1. 使用以下两个选项之一来启用加密密钥轮换: +加密密钥轮换默认启用,不能禁用。 - - 在 Rancher UI 中的 **Cluster Options > Advanced Options > Secrets Encryption** 下选择 `Enabled` 单选按钮: - - ![启用加密密钥轮换](/img/rke1-enable-secrets-encryption.png) - - - 或者,应用以下 YAML: - - ```yaml - rancher_kubernetes_engine_config: - services: - kube_api: - secrets_encryption_config: - enabled: true - ``` - -2. 在 Rancher UI 中轮换密钥: - - 2.1. 点击 **☰ > 集群管理**。 - - 2.2. 在所选集群旁边的屏幕最右侧选择 **⋮ > Rotate Encryption Keys**: - - ![加密密钥轮换](/img/rke1-encryption-key.png) - - - -## RKE2 加密密钥轮换 - -_**v2.6.7 新功能**_ - -> **重要提示**:加密密钥轮换默认启用,不能禁用。 +::: 要在 Rancher UI 中轮换密钥: @@ -44,5 +16,4 @@ _**v2.6.7 新功能**_ ![加密密钥轮换](/img/rke2-encryption-key.png) - -> **注意**:有关 RKE2 密文加密配置的更多信息,请参阅 [RKE2 文档](https://docs.rke2.io/security/secrets_encryption)。 \ No newline at end of file +> **注意**:有关 RKE2 密文加密配置的更多信息,请参阅 [RKE2 文档](https://docs.rke2.io/security/secrets_encryption)。 diff --git a/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md b/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md index b8c52cf70c5..f05c3b9d4d9 100644 --- a/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md +++ b/i18n/zh/docusaurus-plugin-content-docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md @@ -2,39 +2,11 @@ title: 加密密钥轮换 --- -## RKE1 加密密钥轮换 +:::note 重要 -1. 使用以下两个选项之一来启用加密密钥轮换: +加密密钥轮换默认启用,不能禁用。 - - 在 Rancher UI 中的 **Cluster Options > Advanced Options > Secrets Encryption** 下选择 `Enabled` 单选按钮: - - ![启用加密密钥轮换](/img/rke1-enable-secrets-encryption.png) - - - 或者,应用以下 YAML: - - ```yaml - rancher_kubernetes_engine_config: - services: - kube_api: - secrets_encryption_config: - enabled: true - ``` - -2. 在 Rancher UI 中轮换密钥: - - 2.1. 点击 **☰ > 集群管理**。 - - 2.2. 在所选集群旁边的屏幕最右侧选择 **⋮ > Rotate Encryption Keys**: - - ![加密密钥轮换](/img/rke1-encryption-key.png) - - - -## RKE2 加密密钥轮换 - -_**v2.6.7 新功能**_ - -> **重要提示**:加密密钥轮换默认启用,不能禁用。 +::: 要在 Rancher UI 中轮换密钥: @@ -44,5 +16,4 @@ _**v2.6.7 新功能**_ ![加密密钥轮换](/img/rke2-encryption-key.png) - -> **注意**:有关 RKE2 密文加密配置的更多信息,请参阅 [RKE2 文档](https://docs.rke2.io/security/secrets_encryption)。 \ No newline at end of file +> **注意**:有关 RKE2 密文加密配置的更多信息,请参阅 [RKE2 文档](https://docs.rke2.io/security/secrets_encryption)。 diff --git a/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md b/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md index 5d56f2c60aa..59d1eed2fac 100644 --- a/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md +++ b/versioned_docs/version-2.12/how-to-guides/new-user-guides/manage-clusters/rotate-encryption-key.md @@ -6,39 +6,11 @@ title: Encryption Key Rotation -### RKE1 Encryption Key Rotation +:::note Important -1. Enable encryption key rotation with either of the following two options: +Encryption key rotation is enabled by default and cannot be disabled. - - Select the `Enabled` radio button in the Rancher UI under **Cluster Options > Advanced Options > Secrets Encryption**: - - ![Enable Encryption Key Rotation](/img/rke1-enable-secrets-encryption.png) - - - OR, apply the following YAML: - - ```yaml - rancher_kubernetes_engine_config: - services: - kube_api: - secrets_encryption_config: - enabled: true - ``` - -2. Rotate keys in the Rancher UI: - - 2.1. Click **☰ > Cluster Management**. - - 2.2. Select **⋮ > Rotate Encryption Keys** on the far right of the screen next to your chosen cluster: - - ![Encryption Key Rotation](/img/rke1-encryption-key.png) - - - -### RKE2 Encryption Key Rotation - -_**New in v2.6.7**_ - ->**Important:** Encryption key rotation is enabled by default and cannot be disabled. +::: To rotate keys in the Rancher UI: @@ -48,5 +20,4 @@ To rotate keys in the Rancher UI: ![Encryption Key Rotation](/img/rke2-encryption-key.png) - ->**Note:** For more information on RKE2 secrets encryption config, please see the [RKE2 docs](https://docs.rke2.io/security/secrets_encryption). \ No newline at end of file +>**Note:** For more information on RKE2 secrets encryption config, please see the [RKE2 docs](https://docs.rke2.io/security/secrets_encryption).