How it Works

This section describes the sequence of operation for the feature.

  1. The certificates in CM managed K8s clusters, control planes, workers, and external ETCD nodes is checked every 12 hours.

  2. If any certificate is expiring in 60 days on the nodes, then the auto-renew process is triggered.

    • If the renewal is successful, then the following checks shows all the certificates as valid.

    • If the renewal is unsuccessful, then the auto-renew process is re-initiated for the next cycle or iteration of validating the certificates.

  3. If any certificate is expiring in 30 days on the nodes, then the auto-renew process is triggered along with sending an alert to the user.

    In such cases, a manual intervention might be required to renew the certificates, which are nearing their expiry date.

    The kubernetes certificate expiry alert is show below.

    Rules:

    • Alert: kube_certificate_expiring

      • Annotations:

        • Type: Kubernetes Certificate Expiring Alarm

        • Summary: "Kubernetes certificate {{ $labels.cert_path }} on host: {{ $labels.node_name }} is expiring in {{ $labels.days_to_expiry }} days."

      • Expression:

         | 
              kube_certificate_expiring != 0 
      • Labels:

        • Severity: critical

Note

The certificate auto-renewal process must restart the api-server. You might experience a temporary k8s API downtime during the certificate auto-renewal process.