Rotate certificates for Kubernetes

So, how to do this in CFCR?

First, you need to know how CA certificates values are set.

  1. Modify manifest to add new CA certificates. For example, you can duplicate these rows and add the certificate with name kubo_ca_2019
  2. Find all the certificates that use given ca. Then find all the reference in the manifest and add the second ca into the manifest.
    For example, this line should look like ca: ((tls-kubernetes.ca))((kubo_ca_2019.certificate))
    Also, since the certificate in the manifest is just an object with three properties, some places hide these properties and reference directly to the variable. You will have to expand those variables and add individual properties for each key.
  3. Find all the links and reconfigure them manually with adding additional CA certificate where it is required.
  4. Deploy CFCR with the new manifest. This will restart all the VMs and might cause workload downtime.
  5. Now, you should change CA for all the certificates in the manifest. To do this, change the CA value for each of the certificate to the new one and enable converging variables in the manifest.
  6. Deploy CFCR with the new manifest. This will restart all the jobs and might lead to workload downtime.
  7. Now, you can delete old CA from the manifest. You can also optionally, rename certificate in CredHub to the original value (kubo_ca_2019 to kubo_ca) and revert manifest to the original way.
  8. Last redeploy will delete old trusted certificates and will restart all jobs as well.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store