Control Plane Certs renewal threshold

17 views
Skip to first unread message

Suhas Suresh

unread,
Jul 7, 2021, 9:43:32 AMJul 7
to okd...@googlegroups.com
Hey team,
     Currently we have a setup of OKD 4.6, wanted to know how soon or what is the threshold that the certificates used by the various control plane components(kube api server, kubelet, cluster kube api server operator, etc) are renewed automatically? looked around at the documentation, but it only says they are managed and auto renewed. - https://docs.okd.io/latest/security/certificate_types_descriptions/control-plane-certificates.html

Much appreciated,
- Suhas

Sri Ramanujam

unread,
Jul 26, 2021, 11:58:24 PMJul 26
to okd-wg
I believe that they are first rotated after 24 hours (from time of cluster install). After that rotation, as far as I understand it, the service-ca operator manages a self-signed CA that is then used to create all the certificates the cluster uses internally. The docs here: https://docs.okd.io/latest/security/certificate_types_descriptions/service-ca-certificates.html state that "the service CA is valid for 26 months and is automatically refreshed when there is less than 13 months validity left". I couldn't say for sure whether the certificates using this CA are rotated on the same interval, but I would hazard a guess that they're probably on the same schedule.
Reply all
Reply to author
Forward
0 new messages