This topic summarizes Tanzu Kubernetes Grid Integrated Edition (TKGI) certificates and how to rotate them.
TKGI secures all communication between TKGI control plane components and TKGI-managed Kubernetes clusters using Transport Layer Security (TLS) validated by RSA Certificate Authority (CA) certificates and leaf certificates that they issue:
TKGI Control Plane Certificates
TKGI control plane certificates secure TKGI control plane component communication with the TKGI API server and TKGI DB server.
TKGI User-Configurable Certificates
TKGI user-configurable TKGI certificates must be configured by TKGI administrators.
BOSH Certificates used by TKGI
The BOSH certificates used by TKGI, are generated by BOSH.
TKGI-Provisioned Kubernetes Cluster Certificates
The TKGI-Provisioned Kubernetes Cluster certificates, and their leaf certificates, used by Kubernetes clusters are unique to each Kubernetes cluster and are automatically generated by TKGI. TKGI manages the life-cycle of the per-cluster CA and the certificates it signs.
NSX-Only TKGI Kubernetes Cluster Certificates
NSX-only TKGI Kubernetes cluster certificates must be registered with NSX Manager.
The certificates used by TKGI automatically expire and must be rotated. For more information, see Check Certificate Expiration Dates and Rotating Certificates below.
For more information about certificates, see Certificate Types in the Ops Manager documentation.
Before rotating TKGI certificates, determine which certificates are approaching expiration.
To review certificate expiration dates:
VMware that TKGI administrators occasionally verify the expiration dates of their TKGI certificates, and when needed, rotate expiring certificates. See Check Certificate Expiration Dates above to review your TKGI certificate expiration dates.
Warning: Never use the CredHub Maestro maestro regenerate ca/leaf –all
command to rotate TKGI certificates.
The following summarizes the rotation requirements for the certificates used in TKGI environments:
TKGI Control Plane Certificates
Certificate | Default Expiration | Rotation Description |
---|---|---|
pxc_server_ca and leaf certificates |
Four years | See Rotate TKGI Control Plane Certificates or How to rotate TKGI control plane CA and leaf certificates in the VMware Tanzu Knowledge Base. |
pxc_galera_ca and leaf certificates |
||
uaa_active_pks_saml_key_2018 and leaf certificates |
||
kubo_odb_ca_2018 and leaf certificates |
TKGI User-Configurable TKGI Certificates
Certificate | Default Expiration | Rotation Description |
---|---|---|
pks_tls |
Admin-defined | Open the TKGI API tab on the TKGI tile. The TKGI API Service certificate is used to secure access to the TKGI API endpoint. |
nsx-t-superuser-certificate |
Admin-defined | See Rotate the Principal Identity Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key or How to renew the nsx-t-superuser-certificate used by Principal Identity user in the VMware Tanzu Knowledge Base. The NSX SuperUser certificate is used to secure access to the NSX manager. |
BOSH Certificates used by TKGI
Certificate | Default Expiration | Rotation Description |
---|---|---|
bosh_dns_health_client_tls |
One year | See How to rotate bosh-dns certificates in TKGI 1.9+ using maestro in the VMware Tanzu Knowledge Base. |
bosh_dns_health_server_tls |
||
dns_api_client_tls |
||
dns_api_server_tls |
To extend the default expiration period, see Overriding Duration for Certificates in the Ops Manager documentation.
TKGI Kubernetes Cluster Certificates
Certificate and leaf certificates | Default Expiration | Rotation Description |
---|---|---|
kubo_master_ca_2021 and leaf certificates: tls-kubernetes-2018 , tls-ncp-2018 (with NSX) , tls-nsx-kube-proxy-2018 (with NSX) |
Four years | See Rotate Kubernetes Cluster Certificates. |
kubo_ca_2018 and leaf certificates: tls-kubelet-2018 , tls-metrics-server-2018 , tls-kubelet-client-2018 , tls-kube-controller-manager-2018 |
||
etcd_ca_2018 and leaf certificates: tls-etcd-2018-2 , tls-etcdctl-2018-2 , tls-etcdctl-root-2018-2 , tls-etcdctl-flanneld-2018-2 |
NSX-Only TKGI Kubernetes Cluster Certificates
Certificate | Default Expiration | Rotation Description |
---|---|---|
tls-nsx-t |
Two years | See Rotate NSX Certificates Only in Rotate Kubernetes Cluster Certificates. The NSX only certificates must be registered with NSX Manager. |
tls-nsx-lb |
Five years |