Maintenance of prokube installations⚓︎
Renewing TLS Certificates⚓︎
One of the major tasks in maintaining a system is renewing TLS certificates. This section describes how to renew the TLS certificates for the various components.
After installation, it might be a good idea to set up a reminder to renew the certificates before they expire. The certificates for the various components usually expire after one year.
Self-Signed Certificates⚓︎
If your certificate is self-signed (or not trusted by the default certificate
authorities) and you are using Entra ID with Dex (Azure AD), you will need to
update the TLS certificate in the k8s-cert secret in the istio-system
namespace.
Deleting and recreating the secret and restarting the StatefulSet:
kubectl delete secret k8s-cert -n istio-system
kubectl create secret generic k8s-cert --from-file=k8s.crt=<your-tls-cert> -n istio-system
kubectl rollout restart statefulset authservice -n istio-system
MicroK8s⚓︎
The certificates for microk8s clusters are valid for one year. When they have run out, you will get errors when trying to access the cluster (via the web-interface or via kubectl).
Checking the validity of the TLS certificates⚓︎
To check how long the certificates are still valid, you can run the following command on the microk8s node:
sudo microk8s.refresh-certs -c
Renewing MicroK8s certificates⚓︎
You can renew the certificates by running the following command on microk8s node:
sudo microk8s.refresh-certs -e server.crt
sudo microk8s.refresh-certs -e front-proxy-client.crt
After refreshing the certificates, you might need to restart the microk8s cluster.
MinIO⚓︎
The MinIO operator uses TLS certificates to secure the communication between the operator and the MinIO instances. These certificates are valid for one year.
Checking the validity of the TLS certificates⚓︎
To check how long the certificates are still valid, you can run the following commands:
kubectl get secret operator-tls -n minio -o jsonpath="{.data.public\.crt}" | base64 -d | openssl x509 -noout -dates
kubectl get secret defaulttenant-tls -n minio -o jsonpath="{.data.public\.crt}" | base64 -d | openssl x509 -noout -dates
Refreshing MinIO operator's TLS certificates⚓︎
To refresh the certificates, delete the secret containing the certificate, then restart the operator and all tenants:
kubectl delete secret operator-tls -n minio
kubectl rollout restart deployment/minio-operator -n minio
kubectl rollout restart statefulset/defaulttenant-ss-0 -n minio
(On single node deployments you might need to delete the minio-operator pod by hand.)
Renewing the self-signed TLS certificate⚓︎
When the self-signed certificate for MinIO expires, you will need to generate a new one. You can do this by running the following command:
openssl genrsa -out private.key 2048
openssl req -new -key private.key -out curve.csr -subj "/O=system:nodes/CN=system:node:operator.minio.svc" -addext "subjectAltName = DNS:operator,DNS:operator.minio.svc,DNS:operator.minio.svc.cluster.local"
BASE64_CSR=$(cat curve.csr | base64 | tr -d '\n')
cat <<EOF > csr-manual.yaml
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: operator-minio-operator-csr
spec:
request: ${BASE64_CSR}
signerName: kubernetes.io/kubelet-serving
expirationSeconds: 34560000 # this is 400 days
groups:
- system:serviceaccounts
- system:serviceaccounts:minio-operator
- system:authenticated
- system:nodes
usages:
- "digital signature"
- "key encipherment"
- "server auth"
username: system:serviceaccount:minio-operator:minio-operator
EOF
kubectl apply -f csr-manual.yaml
kubectl certificate approve operator-minio-operator-csr
kubectl get csr operator-minio-operator-csr -o jsonpath="{.status.certificate}" | base64 --decode > public.crt
kubectl get csr operator-minio-operator-csr -ojsonpath="{.status.certificate}" | base64 --decode | openssl x509 -noout -text
kubectl delete secret operator-tls -n minio
kubectl create secret generic --from-file=./private.key --from-file=./public.crt operator-tls -n minio
Afterwards you will need to restart your MinIO operator and all tenants:
kubectl rollout restart deployment/minio-operator -n minio
kubectl rollout restart statefulset/defaulttenant-ss-0 -n minio