Renew Kubernetes certificates before or after expiry to maintain secure cluster operations in Crosswork Network Controller.
Kubernetes certificate renewal
Certificates are valid for one year before they expire. After you renew the certificates, ensure that the pods are healthy before resuming other operations.
If you renew certificates before they expire, it is recommended to perform this activity during a maintenance window to keep the cluster in an operational state.
To renew a certificate, perform these steps:
Before you begin
-
Create a plain text file on your local machine (for example,
password.txt) that contains the SSH login password for the server. -
Keep the management IP addresses readily available for the hybrid and worker nodes in your cluster.
Procedure
| 1. | Create a backup of your Crosswork Network Controller. |
|
| 2. | Log in to one of your hybrid nodes. |
|
| 3. | Renew the Kubernetes certificates using the
|
|
| 4. | (Optional) Recover cluster: If multiple pods are stuck in
Wait for the
After all the Calico pods are up and running, all other pods will recover and enter a running state. If any pods remain in a non-running state, wait at least 10 minutes after the Calico pods started, and then run this command:
|
Automatic renewal of internal certificates
Crosswork CA generates TLS certificate chains, including root, intermediate CA, and leaf certificates, for day 0 deployments (Geo HA and non-Geo HA). The leaf certificates are valid for 2 years, while root and intermediate CA certificates are valid for 5 years. Customers with Crosswork deployments lasting beyond two years will face certificate expiry. This expiry disrupts TLS communication and impacts cluster operations. Auto-renewal applies to all Crosswork certificates generated internally, including NATS, Kafka, and any application-specific internal certificates.
The renewal alert is generated only when the expiry period is less than 90 days. When an internal certificate is expiring and renewed, all internal certificates of that type will be renewed. For example, when a leaf certificate is renewed, the process will also renew all other leaf certificates.
For GEO HA deployment:
For a Geo HA deployment, the certificate renewal is triggered in the active AZ cluster. The TLS manager determines if the cluster has geo redundancy enabled or disabled and decides whether the certificate renewal must be performed on one cluster or both geo HA clusters. After the renewal job is completed on the active cluster, the job automatically runs in the standby cluster after a delay. The standby cluster then displays job progress and alarm events.
In a Geo HA setup with auto-arbitration, the certificate is first renewed on the active cluster, then simultaneously renewed on the standby cluster and the arbiter VM.
The certificate renewal process can cause a downtime of approximately thirty minutes to one hour. It is recommended to perform this activity during a maintenance window to avoid disrupting cluster operations.
To renew an internal certificate, perform the following:
Procedure
| 1. | From the main menu, choose . The Certificate Management window appears. If an internal certificate is about to expire, a prompt appears for certificate renewal.
|
|
| 2. | Click Renew Internal Certificate . A confirmation popup is displayed. Click Renew to confirm.
This action invokes the REST API (/v2/cert/renew) and initiates the certificate expiry check. The Certificate Management window displays a notification about the new renewal job.
You can view progress of the renewal job from the Jobs tab. After the job completes, an Info alarm event indicates successful completion of the job. You must manually clear this alarm to acknowledge the event. Any error during the process will result in job failure. However, the job can be triggered again because the API is repeatable. |
|
| 3. | In case of Geo HA deployment: After successfully completing the certificate renewal, run an on-demand or periodic sync across the active and standby clusters to ensure that asynchronous replication is re-established over a secure channel. |
|
| 4. | After the renewal job completes, perform these steps to maintain TLS communication between Crosswork and other external components: |