public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-04-29 09:43:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates to certs

Browse Source
This commit is contained in:
Denise Schannon
2019-03-19 17:21:32 -07:00
parent fa997791fd
commit edd2577086
4 changed files with 39 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/cluster-provisioning/rke-clusters/certificate-rotation/_index.md
+17 -19
View File
@@ -1,23 +1,16 @@
---
title: Rotate Certificates for RKE clusters
shortTitle: Certificate Rotation
weight: 2225
title: Certificate Rotation
weight: 2245
---
_Available as of v2.2.0_
## Certificate Rotation
By default, Kubernetes clusters require certificates and Rancher launched Kubernetes clusters have certificates automatically generated for them.
As of v2.2, you can rotate certificates for RKE clusters in Rancher. You can chose to:
> **Note:** Even though the RKE CLI can use custom certificates for the Kubernetes cluster components, Rancher currently doesn't allow the ability to upload these in Rancher Launched Kubernetes clusters.
hen generating certificates, the cluster certificates are set to expire after 1 year and the CA certificate expires after 10 years. Rotating these certificates are important before the certificates expire as well as if a certificate is compromised.
- Rotate Certificate for all cluster components.
- Rotate Certificates for a specific component.
- Rotate CA certificates.
To rotate certificates for your cluster, open the **Global** view, make sure the **Clusters** tab is selected, and then select **Ellipsis (...) > Rotate Certificates** for the cluster that you want to rotate certificate.
### Certificate rotation for all cluster components
Certificates can be rotated for the following kubernetes cluster components:
After the certificates are rotated, the Kubernetes components are automatically restarted. Certificates can be rotated for the following services:
- etcd
- kubelet
@@ -26,13 +19,18 @@ Certificates can be rotated for the following kubernetes cluster components:
- kube-scheduler
- kube-controller-manager
Select **Rotate all Service certificates (keep the same CA)** to rotate all the certificates above.
Rancher launched Kubernetes clusters have the ability to rotate the auto-generated certificates through the UI.
### Certificate rotation for a specific component
1. In the **Global** view, navigate to the cluster that you want to rotate certificates.
To rotate an individual service certificate, select **Rotate an individual service** and chose one of the components from the drop down menu. It will result in rotating certificate for only this component.
2. Select the **Ellipsis (...) > Rotate Certificates**.
3. Select which certificates that you want to rotate.
### Certificate rotation for CA
* Rotate the CA and all Service certificates
* Rotate all Service certificates (keep the same CA)
* Rotate an individual service and choose one of the services from the drop down menu
To rotate Kubernetes CA certificate, select **Rotate the CA and all Service certificates** option. Note that rotating this certificate will trigger rotating all components' certificates as they need to be signed with the new rotated CA.
4. Click **Save**.
**Results:** The selected certificates will be rotated and the related services will be restarted to start using the new certificate.
content/rke/v0.1.x/en/cert-mgmt/_index.md
+17 -34
View File
@@ -5,22 +5,22 @@ weight: 150
_Available as of v0.2.0_
Certificates are an important part of Kubernetes clusters and are used for all Kubernetes cluster components. RKE has added a `rke cert` command to help manage these certificates.
Certificates are an important part of Kubernetes clusters and are used for all Kubernetes cluster components. RKE has a `rke cert` command to help work with certificates.
* [Ability to generate certificate sign requests for the Kubernetes components](#generating-certificate-signing-requests-csrs-and-keys)
* [Rotate Auto-Generated Cluster Certificates](#certifiate-rotation)
* [Rotate Auto-Generated Certificates](#certificate-rotation)
## Generating Certificate Signing Requests (CSRs) and Keys
If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to [generate a set of Certificate Signing Requests (CSRs) and keys]({{< baseurl >}}/rke/v0.1.x/en/installation/certs/#generating-certificate-signing-requests-csrs-and-keys). Using the `rke cert generate-csr` command, you will be able to generate the CRSs and keys.
If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to [generate a set of Certificate Signing Requests (CSRs) and keys]({{< baseurl >}}/rke/v0.1.x/en/installation/certs/#generating-certificate-signing-requests-csrs-and-keys).
You can use the CSRs and keys to sign the certificates by a real CA. After the certificates are signed, they can be used by RKE to use [custom certificates]({{< baseurl >}}/rke/v0.1.x/en/installation/certs/).
You can use the CSRs and keys to sign the certificates by a real CA. After the certificates are signed, these custom certificates can be used by RKE to as [custom certificates]({{< baseurl >}}/rke/v0.1.x/en/installation/certs/) for the Kubernetes cluster.
## Certificate Rotation
By default, Kubernetes clusters require certificates and RKE will automatically generate certificates for the clusters. When generating certificates, the cluster certificates will automatically expire after 1 year and the CA certificate will expire after 10 years. Before your certificates expire, Rancher recommends rotating the cluster certificates.
By default, Kubernetes clusters require certificates and RKE will automatically generate certificates for the clusters. When generating certificates, the certificates in each service are set to expire after 1 year and the CA certificate expires after 10 years. Rotating these certificates are important before the certificates expire as well as if a certificate is compromised.
After the certificates are rotated, the Kubernetes components are automatically restarted. Certificates can be rotated for the following Kubernetes cluster components:
After the certificates are rotated, the Kubernetes components are automatically restarted. Certificates can be rotated for the following services:
- etcd
- kubelet
@@ -29,33 +29,17 @@ After the certificates are rotated, the Kubernetes components are automatically
- kube-scheduler
- kube-controller-manager
RKE has the ability to rotate these auto-generated certificates with some simple commands:
RKE has the ability to rotate the auto-generated certificates with some simple commands:
* Rotating Cluster Certificates for All Kubernetes Cluster Components
* Rotating Cluster Certificates for a Single Kubernetes Component
* Rotating the CA Certificate and Cluster Certificates
* Rotating all service certificates while using the same CA
* Rotating a certificate on an individual service while using the same CA
* Rotating the CA and all service certificates
Whenever you're trying to rotate certificates, the `cluster.yml` that was used to deploy the Kubernetes cluster is required. You can reference a different location for this file by using the `--config` option when running `rke cert rotate`.
### Rotating all Service Certificates while using the same CA
```
$ rke cert rotate --help
NAME:
rke cert rotate - Rotate RKE cluster certificates
USAGE:
rke cert rotate [command options] [arguments...]
OPTIONS:
--config value Specify an alternate cluster YAML file (default: "cluster.yml") [$RKE_CONFIG]
--service value Specify a k8s service to rotate certs, (allowed values: kube-apiserver, kube-controller-manager, kube-scheduler, kubelet, kube-proxy, etcd)
--rotate-ca Rotate all certificates including CA certs
```
### Rotating Cluster Certificates for All Components
To rotate the cluster certificates for all the Kubernetes cluster components, run the following command, i.e. `rke cert rotate`. After all the cluster certificates are rotated, the Kubernetes components will automatically be restarted.
To rotate the service certificates for all the Kubernetes services, run the following command, i.e. `rke cert rotate`. After all the service certificates are rotated, these services will automatically be restarted to start using the new certificate.
```
$ rke cert rotate
@@ -77,11 +61,11 @@ INFO[0002] Rebuilding Kubernetes cluster with rotated certificates
INFO[0050] [worker] Successfully restarted Worker Plane..
```
### Rotating Cluster Certificates for a Specific Component
### Rotating a Certificate on an Individual Service while using the same CA
To rotate certificates for individual Kubernetes components, use the `--service` option when rotating certificates to specify which component. As always, the specified Kubernetes component is automatically restarted after the certificate is rotated.
To rotate the certificate for an individual Kubernetes service, use the `--service` option when rotating certificates to specify the service. After the specified Kubernetes service has had its certificate rotated, it is automatically restarted to start using the new certificate.
Example of rotating the certificate for only the `kubelet` component.
Example of rotating the certificate for only the `kubelet`:
```
$ rke cert rotate --service kubelet
@@ -94,10 +78,9 @@ INFO[0000] Rebuilding Kubernetes cluster with rotated certificates
INFO[0033] [worker] Successfully restarted Worker Plane..
```
### Rotating CA Certificate and all Cluster Certificates
If the CA certificate needs to be rotated, you are required to rotate all the cluster certificates for all components as they need to be signed with the newly rotated CA certificate. To include rotating the CA certificate with the cluster certificates, add the `--rotate-ca` option. As always, all Kubernetes components are automatically restarted after the certificates are rotated.
### Rotating the CA and all service certificates
If the CA needs to be rotated, you are required to rotate all the services certificates as they need to be signed with the newly rotated CA. To include rotating the CA with the service certificates, add the `--rotate-ca` option. After the the CA and all the service certificates are rotated, these services will automatically be restarted to start using the new certificate.
```
$ rke cert rotate --rotate-ca
content/rke/v0.1.x/en/installation/_index.md
+1 -1
View File
@@ -113,7 +113,7 @@ The last line should read `Finished building Kubernetes cluster successfully` to
_Available as of v0.2.0_
By default, RKE auto-generates the certificates for all cluster components. You can also use [custom certificates]({{< baseurl >}}/rke/v0.1.x/en/installation/certs/). After the Kubernetes cluster is deployed, you can [manage the auto-generated certificates]({{< baseurl >}}/rke/v0.1.x/en/cert-mgmt/).
By default, Kubernetes clusters require certificates and RKE auto-generates the certificates for all cluster components. You can also use [custom certificates]({{< baseurl >}}/rke/v0.1.x/en/installation/certs/). After the Kubernetes cluster is deployed, you can [manage these auto-generated certificates]({{< baseurl >}}/rke/v0.1.x/en/cert-mgmt/#certifcate-rotation).
### Kubernetes Cluster State
content/rke/v0.1.x/en/installation/certs/_index.md
+4 -4
View File
@@ -5,7 +5,7 @@ weight: 150
_Available as of v0.2.0_
By default, RKE auto-generates the certificates for all the cluster components when installing Kubernetes. RKE can also use custom certificates for these Kubernetes cluster components.
By default, Kubernetes clusters require certificates and RKE auto-generates the certificates for all the Kubernetes services. RKE can also use custom certificates for these Kubernetes services.
When [deploying Kubernetes with RKE]({{< baseurl >}}/rke/v0.1.x/en/installation/#deploying-kubernetes-with-rke), there are two additional options that can be used with `rke up` so that RKE uses custom certificates.
@@ -43,11 +43,11 @@ The following certificates must exist in the certificate directory.
## Generating Certificate Signing Requests (CSRs) and Keys
If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to generate a set of Certificate Signing Requests (CSRs) and keys. Using the `rke cert generate-csr` command, you will be able to generate the CRSs and keys.
If you want to create and sign the certificates by a real Certificate Authority (CA), you can use RKE to generate a set of Certificate Signing Requests (CSRs) and keys. Using the `rke cert generate-csr` command, you can generate the CSRs and keys.
1. Set up your `cluster.yml` with the [node information]({{< baseurl >}}/rke/v0.1.x/en/config-options/nodes/).
2. Run `rke cert generate-csr` to generate certificates for the node(s) in the `cluster.yml`. By default, the CSRs and keys will be saved in `./cluster_certs`. To have them saved in a different directory, use `--cert-dir`.
2. Run `rke cert generate-csr` to generate certificates for the node(s) in the `cluster.yml`. By default, the CSRs and keys will be saved in `./cluster_certs`. To have them saved in a different directory, use `--cert-dir` to define what directory to have them saved in.
```
$ rke cert generate-csr
@@ -63,7 +63,7 @@ If you want to create and sign the certificates by a real Certificate Authority
INFO[0001] Successfully Deployed certificates at [./cluster_certs]
```
**Result:** The CSRs and keys will be deployed in `./cluster_certs` directory. The CSR files will contain the right Alternative DNS and IP Names for the certificates. You can use them to sign the certificates by a real CA. After the certificates are signed, they can be used by RKE for custom certificates.
**Result:** The CSRs and keys will be deployed in `./cluster_certs` directory, assuming you didn't specify a `--cert-dir`. The CSR files will contain the right Alternative DNS and IP Names for the certificates. You can use them to sign the certificates by a real CA. After the certificates are signed, those certificates can be used by RKE as custom certificates.
```
$ tree cluster_certs