Renew Certificates for Air-gap Clusters

Kubernetes uses SSL certificates to secure the communication between different components of a cluster. Using these certificates allows Kubernetes to secure API connections, verify the authenticity of the nodes, and encrypt connections. All certificates have an expiry date, and need to be renewed periodically.

This page guides you through the different methods used to renew certificates in an air-gapped Palette Edge cluster. An air-gapped cluster means a cluster that has no connection to a Palette instance.

Limitations

• The procedure described in this guide only renews certificates for control plane nodes. Certificate renewal for worker nodes is not supported.
• The certificates used are generated by Kubernetes. You cannot use your own certificates.

Automatic Renewal

Palette Edge will automatically renew all control plane certificates your cluster uses for you 30 days before they expire. You can follow the steps below to check when the next automatic renewal will happen.

Prerequisite

• You have an active cluster in a air-gapped Edge host.
• You have access to Local UI for the Edge host. For more information, refer to Access Local UI.

Check Next Auto Renewal Time

1. Log in to Local UI.

2. From the left Main Menu, select Cluster.

3. Select the Overview tab on the Cluster page.

4. In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster.

5. The next renewal time, which is 30 days before the expiry date, for your certificates is at the top of the pop-up box.

Validate

In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster. You can confirm that the certificates have been renewed by looking at the issue date of certificates.

Manual Renewal

You can also manually renew your certificates whenever you want. You can do this through Local UI or through the Edge Management API.

Prerequisite

• You have an active cluster in a air-gapped Edge host.
• You have access to Local UI for the Edge host. For more information, refer to Access Local UI.

Manually Renew Certificates

Local UI

1. Log in to Local UI.

2. From the left Main Menu, select Cluster.

3. Select the Overview tab on the Cluster page.

4. In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster.

5. Click Renew to renew all certificates used by the cluster.

API

1. Issue the following command to call the Edge Management authentication API. Replace edge-host-ip with the IP of your Edge host and replace os-username and os-password with your Operating System (OS) user credentials.

   curl --location 'https://edge-host-ip:5080/v1/users/default/login' \
   --header 'Content-Type: application/json' \
   --data '{
      "username": "os-username",
      "password": "os-password"
   }'

   This will return an authentication token.

   {
     "Token": {
       "Authorization": "******"
     }
   }

2. Issue the following command to call the endpoint to renew your control plane node certificates. Put the authentication token you obtained in the previous step in the header.

   curl -X POST "https://edge-host-ip:5080/v1/edge-mgmt/cluster/renew-certificates" \
     --header "Authorization: *******"

   This will renew all certificates on the control plane nodes.

Validate

In Overview, click View Certificates in the Kubernetes Certificates row. This will display all the certificates currently in use by your cluster. You can confirm that the certificates have been renewed by looking at the issue date of certificates.