This topic describes how to rotate certificates used by VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) Kubernetes clusters.
For more information about TKGI Certificates:
When TKGI provisions a Kubernetes cluster, the system generates certificate authority (CA) certificates and leaf certificates that have values and expiration dates unique to that cluster.
You can use the TKGI CLI to manage and rotate TKGI-provisioned Kubernetes cluster certificates. The following table summarizes these certificates and how to rotate them.
Certificates | When Used | How to Rotate |
---|---|---|
kubo_master_ca_2021 , kubo_ca_2018 , etcd_ca_2018 , and their leaf certificates |
All clusters. | See Rotate Kubernetes Cluster Certificates below. |
tls_nsx_t and tls_nsx_lb |
NSX-T only. These certificates must be registered with NSX Manager. | See Rotate NSX-T Certificates for Kubernetes Clusters. |
For more information about Kubernetes Cluster certificates in TKGI, see TKGI Certificates.
Warning: Never use the CredHub Maestro maestro regenerate ca/leaf –all
command to rotate TKGI certificates.
To rotate TKGI-provisioned Kubernetes cluster certificates, first determine which certificates are due to expire and then rotate them:
To list the TLS certificates used by TKGI-provisioned Kubernetes cluster, run the following command:
tkgi certificates CLUSTER-NAME -d DAYS
Where:
CLUSTER-NAME
is the name of the cluster.DAYS
is the maximum number of days remaining until the certificate expires.For example:
tkgi certificates tkgi-cluster-01 -d 10000
The sample output lists all TLS certificates that TKGI uses for the specified cluster.
NAME Type Days Left Valid until
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-lb Leaf 1803 2025-12-14T06:47:46Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-kube-proxy-2018 Leaf 1439 2024-12-15T06:47:41Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-ncp-2018 Leaf 1439 2024-12-15T06:47:41Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-nsx-t Leaf 708 2022-12-15T06:47:40Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kube-controller-manager-2018 Leaf 1439 2024-12-15T06:47:40Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-metrics-server-2018 Leaf 1439 2024-12-15T06:47:39Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-flanneld-2018-2 Leaf 1439 2024-12-15T06:47:39Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-root-2018-2 Leaf 1439 2024-12-15T06:47:38Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcdctl-2018-2 Leaf 1439 2024-12-15T06:47:37Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-etcd-2018-2 Leaf 1439 2024-12-15T06:47:36Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubelet-client-2018 Leaf 1439 2024-12-15T06:47:36Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubelet-2018 Leaf 1439 2024-12-15T06:47:35Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/etcd_ca_2018 Root 1439 2024-12-15T06:47:35Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/tls-kubernetes-2018 Leaf 1439 2024-12-15T06:47:34Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/monitoring-metric-cert Leaf 1439 2024-12-15T06:47:34Z
/p-bosh/service-instance_62e2a43a-dc2a-47a8-a361-3911589e60aa/kubo_ca_2018 Root 1439 2024-12-15T06:47:34Z
The TKGI CLI supports rotating TLS certificates for the following scenarios:
For more information about how to use TKGI CLI to rotate Kubernetes cluster TLS certificates, see Rotate TLS Certificates Using the TKGI CLI below.
To rotate all cluster certificates:
tkgi rotate-certificates CLUSTER-NAME --all
This command rotates all certificates except a custom CA kubo_master_ca_2021
(if implemented).
WARNING: Rotate cluster certificates only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.
To rotate all cluster certificates except the NSX-T certificates:
tkgi rotate-certificates CLUSTER-NAME --skip-nsx --all
This command rotates all certificates except tls-nsx-t
and tls-nsx-lb
.
WARNING: Rotate cluster certificates only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.
To rotate only NSX certificates:
tkgi rotate-certificates CLUSTER-NAME --only-nsx
This command only rotates the NSX-T certificates tls-nsx-t
and tls-nsx-lb
.
For example:
tkgi rotate-certs tkgi-cluster-01 --only-nsx
You are about to rotate nsx related certificates for cluster tkgi-cluster-01. This operation requires bosh deployment, and will take a significant time. Are you sure you want to continue? (y/n):
For more information, see Rotate NSX-T Certificates for Kubernetes Clusters.
WARNING: Rotate cluster certificates only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.
If you have implemented a custom CA for the kubo_master_ca_2021
, rotation is handled by the update-cluster
CLI command.
To rotate a custom kubo_master_ca_2021
CA:
If you are updating a cluster that uses a public cloud CSI driver, see Limitations on Using a Public Cloud CSI Driver in Release Notes for additional requirements.
Run the following command:
tkgi update-cluster CLUSTER-NAME --config-file CONFIG-FILENAME
Where:
CLUSTER-NAME
is the name of the cluster.CONFIG-FILENAME
is the name of the configuration file.For complete usage, see Use a Custom CA for Kubernetes Clusters.
WARNING: Rotate cluster certificates only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.
You can use the TKGI CLI to list and rotate the TLS certificates created for a Kubernetes cluster.
Usage:
tkgi rotate-certs | rotate-certificates CLUSTER-NAME [flags]
Flags:
--all Rotate all certs, not implemented yet, will be available in future releases.
-h, --help help for rotate-certs
--json Return the PKS-API output as json
--non-interactive Don't ask for user input
--only-nsx Rotate the tls-nsx-lb and tls-nsx-t certificates.
--wait Wait for the operation to finish
WARNING: Rotate cluster certificates only on a TKGI cluster that has been upgraded to the current TKGI version. For more information, see Tasks Supported Following a TKGI Control Plane Upgrade in About Tanzu Kubernetes Grid Integrated Edition Upgrades.