Renew Certificates for Airgap Clusters
Kubernetes uses SSL certificates to secure the communication between different components of a cluster. Using these certificates allows Kubernetes to secure API connections, verify the authenticity of the nodes, and encrypt connections. All certificates have an expiry date, and need to be renewed periodically.
This page guides you through the different methods used to renew certificates in an airgapped Palette Edge cluster. An airgapped cluster means a cluster that has no connection to a Palette instance. For information on how to renew certificates on connected Edge clusters, refer to Renew Cluster PKI Certificates.
Limitations
- The procedure described in this guide only renews certificates for control plane nodes. Certificate renewal for worker nodes is not supported.
- The certificates used are generated by Kubernetes. You cannot use your own certificates.
Automatic Renewal
Palette Edge will automatically renew all control plane certificates your cluster uses for you 30 days before they expire. You can follow the steps below to check when the next automatic renewal will happen.
Prerequisite
- You have an active cluster in a airgapped Edge host.
- You have access to Local UI for the Edge host. For more information, refer to Access Local UI.
Check Next Auto Renewal Time
-
Log in to Local UI.
-
From the left Main Menu, select Cluster.
-
Select the Overview tab on the Cluster page.
-
In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster.
-
The next renewal time, which is 30 days before the expiry date, for your certificates is at the top of the pop-up box.
Validate
In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster. You can confirm that the certificates have been renewed by looking at the expiry date of certificates. The issue date of the certificates will not change after certificate renewal.
Manual Renewal
You can also manually renew your certificates whenever you want. You can do this through Local UI or through the Edge Management API.
Prerequisite
- You have an active cluster in a airgapped Edge host.
- You have access to Local UI for the Edge host. For more information, refer to Access Local UI.
Manually Renew Certificates
- Local UI
- API
-
Log in to Local UI.
-
From the left Main Menu, select Cluster.
-
Select the Overview tab on the Cluster page.
-
In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster.
-
Click Renew to renew all certificates used by the cluster.
-
Issue the following command to call the Edge Management authentication API. Replace
edge-host-ipwith the IP of your Edge host and replaceos-usernameandos-passwordwith your Operating System (OS) user credentials.curl --location 'https://edge-host-ip:5080/v1/users/default/login' \
--header 'Content-Type: application/json' \
--data '{
"username": "os-username",
"password": "os-password"
}'This will return an authentication token.
{
"Token": {
"Authorization": "******"
}
} -
Issue the following command to call the endpoint to renew your control plane node certificates. Put the authentication token you obtained in the previous step in the header.
curl -X POST "https://edge-host-ip:5080/v1/edge-mgmt/cluster/renew-certificates" \
--header "Authorization: *******"This will renew all certificates on the control plane nodes.
Validate
In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster. You can confirm that the certificates have been renewed by looking at the expiry date of certificates. The issue date of the certificates will not change after certificate renewal.