Limitations
This certificate rotation procedure is only supported when the cluster is still in a healthy state and the certificate hasn’t expired. Since if the cluster is not in a good state, and the certificate expired, the node might have issues coming up since containerd can’t pull the image.
We don’t have docs to rotate expired certificates for now.
Currently TKG support those parameters to configure external certificates in classy clusters:
This document contains steps on how to rotate ADDITIONAL_IMAGE_REGISTRY_1_CA_CERTIFICATE, ADDITIONAL_IMAGE_REGISTRY_2_CA_CERTIFICATE, ADDITIONAL_IMAGE_REGISTRY_3_CA_CERTIFICATE.
Since these are external certificates, the most straightforward solution is the traditional 3-steps certificate rotation method. In general:
Phase 1
-----BEGIN CERTIFICATE----- Old -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- New -----END CERTIFICATE-----
$ cat <certifcate-file-name> | base64 -w0 ## use below string to represent the encoded value in following examples AAAAB3NzaC1yc2EAAAADAQABAAAA1
kubectl edit <cluster-name> -n <namespace>
kubectl get nodes
kubectl get secret -n tkg-system tkg-pkg-tkg-system-values -ojsonpath='{.data.tkgpackagevalues\.yaml}' | base64 -d > tkg-pkg-values
configvalues: ADDITIONAL_IMAGE_REGISTRY_1_CA_CERTIFICATE: AAAAB3NzaC1yc2EAAAADAQABAAAA1 ## if set ADDITIONAL_IMAGE_REGISTRY_2_CA_CERTIFICATE: AAAAB3NzaC1yc2EAAAADAQABAAAA2 ## if set ADDITIONAL_IMAGE_REGISTRY_3_CA_CERTIFICATE: AAAAB3NzaC1yc2EAAAADAQABAAAA3
cat tkg-pkg-values | base64 -w0
kubectl edit secret -n tkg-system tkg-pkg-tkg-system-values ## edit .data.tkgpackagevalues.yaml
Phase2
Update the certificate on the registry server that the customer manage
Phase3
Redo the phase1, except, this time only encodes the new certificate, no need to use the old certificate.