The TLS certificate for the registry add-on will be renewed automatically at thirty days prior to expiration if the EKCO add-on is enabled with version 0.5.0+.
To manually renew the certificate for the registry prior to automatic renewal, re-run the kURL install script.
The certificates for Kubernetes control plane components are valid for one year. These certificates are renewed whenever the Kubernetes version is upgraded. Installations that do not routinely upgrade Kubernetes will need to rely on automatic certificate renewal provided by EKCO or manual renewal.
To check how long certificates have remaining until expiration, run this command on every primary node:
kubeadm alpha certs check-expiration
The certificates for the Kubernetes control plane will be renewed automatically at thirty days prior to expiration if the EKCO add-on is enabled with version 0.5.0+.
Renewing the Kubernetes control plane certificates will trigger a restart of the Kubernetes API server, which may briefly affect applications running in the cluster.
If running an HA cluster with a load balancer, use this procedure to manually rotate the certificates at any point prior to the automatic rotatation deadline. This will prevent Kubernetes API servers from restarting while handling client traffic.
kubeadm alpha certs renew all on the node.mv /etc/kubernetes/manifests/kube-apiserver.yaml /tmp/ && sleep 1 && mv /tmp/kube-apiserver.yaml /etc/kubernetes/manifests/mv /etc/kubernetes/manifests/kube-controller-manager.yaml /tmp/ && sleep 1 && mv /tmp/kube-controller-manager.yaml /etc/kubernetes/manifests/mv /etc/kubernetes/manifests/kube-scheduler.yaml /tmp/ && sleep 1 && mv /tmp/kube-scheduler.yaml /etc/kubernetes/manifests/curl -k https://127.0.0.1:6443/healthz reports okRepeat this for each of the remaining primary nodes in your cluster.