Limitations
This certificate rotation procedure is only supported when the cluster is still in a healthy state and the certificate hasn’t expired. Since if the cluster is not in a good state, and the certificate expired, the node might have issues coming up since containerd can’t pull the image.
We don’t have docs to rotate expired certificates for now.
Currently TKG support those parameters to configure external certificates in classy clusters:
This document contains steps on how to rotate TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE.
Since these are external certificates, the most straightforward solution is the traditional 3-steps certificate rotation method. In general:
Phase1
-----BEGIN CERTIFICATE----- Old -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- New -----END CERTIFICATE-----
$ cat <certifcate-file-name> | base64 -w0 ## use below string to represent the encoded value in following examples AAAAB3NzaC1yc2EAAAADAQABAAAA
kubectl edit <cluster-name> -n <namespace>
kubectl get nodes
kubectl get secret -n tkg-system tkr-source-controller-values -ojsonpath='{.data.values\.yaml}' | base64 -d > tkr-source-controller-values-content
caCerts: AAAAB3NzaC1yc2EAAAADAQABAAAA
cat tkr-source-controller-values-content | base64 -w0
kubectl edit secret tkr-source-controller-values -n tkg-system ## edit .data.values.yaml
kubectl delete pod -n tkg-system --selector=app=tkr-source-controller
kubectl get secret -n tkg-system tkg-pkg-tkg-system-values -ojsonpath='{.data.tkgpackagevalues\.yaml}' | base64 -d > tkg-pkg-values
tkrSourceControllerPackage: tkrSourceControllerPackageValues: caCerts: AAAAB3NzaC1yc2EAAAADAQABAAAA configvalues: TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: AAAAB3NzaC1yc2EAAAADAQABAAAA
cat tkg-pkg-values | base64 -w0
kubectl edit secret -n tkg-system tkg-pkg-tkg-system-values ## edit .data.tkgpackagevalues.yaml