From 24871e6095c046324d6891ec1e52ec28cedfe4b4 Mon Sep 17 00:00:00 2001 From: atsikham Date: Thu, 3 Feb 2022 15:54:15 +0100 Subject: [PATCH] Extend doc about k8s control plane certificates renewal --- docs/changelogs/CHANGELOG-2.0.md | 1 + docs/home/howto/kubernetes/CERTIFICATES.md | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/docs/changelogs/CHANGELOG-2.0.md b/docs/changelogs/CHANGELOG-2.0.md index 0c4aaaea40..42d71bbc3e 100644 --- a/docs/changelogs/CHANGELOG-2.0.md +++ b/docs/changelogs/CHANGELOG-2.0.md @@ -17,6 +17,7 @@ - [#2828](https://github.com/epiphany-platform/epiphany/issues/2828) - K8s improvements - Re-generate apiserver certificates only by purpose - Do not ignore preflight errors in `kubeadm join` + - Update documentation about control plane certificates renewal - [#2825](https://github.com/epiphany-platform/epiphany/issues/2825) - Upgrade Terraform and providers - Terraform 0.12.6 to 1.1.3 ([#2706](https://github.com/epiphany-platform/epiphany/issues/2706)) - Azurerm provider 1.38.0 to 2.91.0 diff --git a/docs/home/howto/kubernetes/CERTIFICATES.md b/docs/home/howto/kubernetes/CERTIFICATES.md index dd05a2c26f..c2e247dd53 100644 --- a/docs/home/howto/kubernetes/CERTIFICATES.md +++ b/docs/home/howto/kubernetes/CERTIFICATES.md @@ -2,6 +2,19 @@ ### TLS certificates in a cluster +--- +**NOTE** + +1. There are issues encountered for K8s HA clusters when certificates renewal is enabled and applied + after `kubeadm reset`. If you restored control plane VMs from snapshots or used this command and plan to + run `epicli apply`, make sure that `renew` option is set to `false`. + + +2. By default, kubeadm sets certificates expiration period to 1 year. If the cluster is upgraded, and different + expiration period is required, run `epicli apply` with appropriate configuration. + +--- + It's possible to regenerate Kubernetes control plane certificates with Epiphany. To do so, additional configuration should be specified.