$ oc get secret -n openshift-etcd etcd-signer -oyaml > signer_backup_secret.yaml
Manage etcd certificates in OKD, including rotating certificates, removing unused certificate authorities, and understanding certificate types.
etcd certificates are signed by the etcd-signer. The certificates come from a certificate authority (CA) that is generated by the bootstrap process.
The CA certificates are valid for 10 years. The peer, client, and server certificates are valid for three years.
These certificates are managed only by the system and are automatically rotated.
Review the etcd peer, client, server, and metric certificate types and related secrets, so you know which certificate applies when configuring or troubleshooting etcd security.
etcd certificates are used for encrypted communication between etcd member peers and encrypted client traffic. The following certificates are generated and used by etcd and other processes that communicate with etcd:
Peer certificates: Used for communication between etcd members.
Client certificates: Used for encrypted server-client communication. Client certificates are currently only used by the API server. Except for the proxy, ensure that no other service connects to etcd directly except for the proxy. Client secrets such as etcd-client, etcd-metric-client, etcd-metric-signer, and etcd-signer are added to the openshift-config, openshift-etcd, openshift-etcd-operator, and openshift-kube-apiserver namespaces.
Server certificates: Used by the etcd server for authenticating client requests.
Metric certificates: All metric consumers connect to the proxy with metric-client certificates.
You can manually rotate the etcd certificate before its automatic, scheduled rotation by backing up and deleting the current signer certificate.
Make a backup copy of the current signer certificate by running the following command:
$ oc get secret -n openshift-etcd etcd-signer -oyaml > signer_backup_secret.yaml
Delete the existing signer certificate by running the following command:
$ oc delete secret -n openshift-etcd etcd-signer
Wait for the static pod roll out by running the following command. The static pod roll out can take a few minutes to complete.
$ oc wait --for=condition=Progressing=False --timeout=15m clusteroperator/etcd
After a manual etcd or metrics signer rotation, delete the etcd-ca-bundle or etcd-metrics-ca-bundl as appropriate. When the cluster reconciles, unused certificate authority (CA) keys are removed. This ensures that components only trust the current signer.
Delete the key by running the following command:
$ oc delete configmap -n openshift-etcd etcd-ca-bundle
Wait for the static pod rollout by running the following command. The bundle regenerates with the current signer certificate and all unknown or unused keys are deleted.
$ oc adm wait-for-stable-cluster --minimum-stable-period 2m
Monitor etcd signer expiration alerts and rotate the metrics signer using the etcd-metric-signer parameter and the etcd-metrics-ca-bundle when required, so you avoid certificate expiration and maintain secure etcd metrics traffic.
etcdSignerCAExpirationWarningOccurs 730 days until the signer expires.
etcdSignerCAExpirationCriticalOccurs 365 days until the signer expires.
These alerts track the expiration date of the signer certificate authorities in the openshift-etcd namespace.
You can rotate the certificate for the following reasons:
You receive an expiration alert.
The private key is leaked.
|
When a private key is leaked, you must rotate all of the certificates. |
There is a separate etcd signer for the OKD metrics system. To rotate the separate etcd signer, follow the steps in "Rotating the etcd certificate" using the following parameters:
Use the etcd-metric-signer parameter instead of the etcd-signer
Use etcd-metrics-ca-bundle bundle instead ofthe etcd-ca-bundle