Rotate user-provided server certificates
When working with user provided certificates that have been provided as Kubernetes
secrets, you can rotate the server certificates by updating the contents of the
Kubernetes Secret.
For example, if you’ve used .pem
files to provide certificates, then update
the server.pem
certificate and server-key.pem
certificate private key
and update the Kubernetes secret:
kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -
CFK will watch for the Kubernetes secret changes, will notice that the content
has changed, and will then rolling restart the component to configure the new
server certificate.
Rotate certificate authority
When working with user provided certificates that have been provided as Kubernetes
secrets, you can rotate the certificate authority used through a two-step process.
In this section, we’ll assume you’ve used .pem
files to provide certificates.
1. Append new certificate authority
Append the new intermediate/root CA to the ca.pem. It will co-exist with the old
intermediate/root CA.
file name: ca.pem
content:
-----BEGIN CERTIFICATE-----
<old root CA certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<new root CA certificate>
-----END CERTIFICATE-----
Update the secret:
kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -
CFK will watch for the Kubernetes secret changes, will notice that the content
has changed, and will then rolling restart the component to configure the new
root CA for use alongside the old root CA.
2. Generate server certs with new certificate authority
Generate new server certs with the new CA, and replace the server.pem
certificate and server-key.pem
certificate private key.
Then update the Kubernetes secret:
kubectl create secret generic component-tls \
--from-file=fullchain.pem=server.pem \
--from-file=cacerts.pem=ca.pem \
--from-file=privkey.pem=server-key.pem \
--save-config --dry-run=client -oyaml | \
kubectl apply -f -
CFK will watch for the Kubernetes secret changes, will notice that the content
has changed, and will then rolling restart the component to configure the new
server certificate.