[KOPS users] How to renew all certificates which been generated by KOPS

security

#1

Hi,

I launched my Kubernetes cluster with KOPS and I’m curious how certificates has been generated and managed by KOPS.

I don’t know if KOPS or Kubernetes can help to keep them from expired.

I went the KOPS state store bucket, and I found a lot of CA certificates which terrified me as it is not single CA.

❯ aws s3 ls $KOPS_STATE_STORE/$CLUSTER/pki/issued/
                           PRE apiserver-aggregator-ca/
                           PRE apiserver-aggregator/
                           PRE apiserver-proxy-client/
                           PRE ca/
                           PRE kops/
                           PRE kube-controller-manager/
                           PRE kube-proxy/
                           PRE kube-scheduler/
                           PRE kubecfg/
                           PRE kubelet-api/
                           PRE kubelet/
                           PRE master/

I wonder how people manage those certificates and keep them from expired in Production. What Cert Tool can help us to achieve this. Thanks


#2

Greetings!

I recently checked it this out and i have an issue with this, 'cause as you mentioned it there are a lot of CA and i’m thinking on use openssl to solve this, i’ll build a script that allow me to replace those expired certs by the new ones instead.

If you have another idea, i’ll be pleased to heard