×

Purpose

etcd certificates are signed by the etcd-signer; they come from a certificate authority (CA) that is generated by the bootstrap process.

Expiration

The CA certificates are valid for 10 years. The peer, client, and server certificates are valid for three years.

Rotating the etcd certificate

The etcd certificate automatically rotates using the etcd cluster Operator. However, if a certificate must be rotated before it is automatically rotated, you can manually rotate it.

Procedure
  1. Make a backup copy of the current signer certificate by running the following command:

    $ oc get secret -n openshift-etcd etcd-signer -oyaml > signer_backup_secret.yaml
  2. Delete the existing signer certificate by running the following command:

    $ oc delete secret -n openshift-etcd etcd-signer
  3. Wait for the static pod roll out by running the following command. The static pod roll out can take a few minutes to complete.

    $ oc wait --for=condition=Progressing=False --timeout=15m clusteroperator/etcd

Removing an unused certificate authority from the bundle

A manual rotation does not immediately update the trust bundle to remove the public key of a previous signer certificate.

The public key of the signer certificate is removed at the expiration date, however if the public key must be removed before it expires, you can delete it.

Procedure
  1. Delete the key by running the following command:

    $ oc delete configmap -n openshift-etcd etcd-ca-bundle
  2. Wait for the static pod rollout by running the following command. The bundle regenerates with the current signer certificate and all unknown or unused keys are deleted.

    $ oc adm wait-for-stable-cluster --minimum-stable-period 2m

etcd certificate rotation alerts and metrics signer certificates

Two alerts inform users about pending etcd certificate expiration:

etcdSignerCAExpirationWarning

Occurs 730 days until the signer expires.

etcdSignerCAExpirationCritical

Occurs 365 days until the signer expires.

These alerts track the expiration date of the signer certificate authorities in the openshift-etcd namespace.

You can rotate the certificate for the following reasons:

  • You receive an expiration alert.

  • The private key is leaked.

When a private key is leaked, you must rotate all of the certificates.

There is an etcd signer for the OpenShift Container Platform metrics system. Substitute the following metrics parameters in Rotating the etcd certificate.

  • etcd-metric-signer instead of etcd-signer

  • etcd-metrics-ca-bundle instead of etcd-ca-bundle

Management

These certificates are only managed by the system and are automatically rotated.

Services

etcd certificates are used for encrypted communication between etcd member peers and encrypted client traffic. The following certificates are generated and used by etcd and other processes that communicate with etcd:

  • Peer certificates: Used for communication between etcd members.

  • Client certificates: Used for encrypted server-client communication. Client certificates are currently used by the API server only, and no other service should connect to etcd directly except for the proxy. Client secrets (etcd-client, etcd-metric-client, etcd-metric-signer, and etcd-signer) are added to the openshift-config, openshift-monitoring, and openshift-kube-apiserver namespaces.

  • Server certificates: Used by the etcd server for authenticating client requests.

  • Metric certificates: All metric consumers connect to proxy with metric-client certificates.

Additional resources