Rotating Certificates In Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS) uses certificates for authentication with many of its components. Periodically, you may need to rotate those certificates for security or policy reasons.
Prerequisites:
- Install or upgrade Install Azure CLI.
If you receive the below error when you try to connect to a cluster, then the certificates need to be rotated.
Unable to connect to the server: x509: certificate has expired or is not yet valid: current time <current_time> is after <expired_time>
Check For Current Credential Expiration Date:
# Run the below query after updating the cluster nameexport KUBECONFIG=<kubeconfig_file.yml>kubectl config view --raw -o jsonpath="{.clusters[?(@.name == 'aks_cluster_name')].cluster.certificate-authority-data}" | base64 -d | openssl x509 -text | grep -A2 Validity
# Sample outputValidity
Not Before: May 13 03:36:11 2021 GMT
Not After : May 13 03:46:11 2051 GMT
Rotate your cluster certificates
If the certificate is expired it needs to be rotated and be cautious because this can cause up to 30 minutes of downtime for your AKS cluster.
# login az login# rotate certsaz aks rotate-certs --resource-group <resource_group_name> --name <aks_cluster_name> --subscription <subscription_name_or_id
Update the certificate used by kubectl
by running az aks get-credentials
az aks get-credentials --resource-group <resource_group_name> --name <aks_cluster_name> --subscription <subscription_name_or_id --file <kubeconfig_file.yml> --overwrite-existin
Verify the certificates have been updated by running a kubectl
command, which will now succeed.
export KUBECONFIG=<kubeconfig_file.yml>kubectl get nodes
and that’s it.