Kubernetes Certificate Rotation

Kubernetes Certificate Rotation

While Kubernetes has a built-in CertManager for getting new certificate, it's quite common to miss the deadline on expiring certificates, leading to catastrophic outages.

KubernetesMost Popular
Back to Solutions

The problem

Kubernetes has some magic sauce to automatically renew certificates before they expire. The built-in CertManager is a great tool for getting new certificates.  But are certificates renewed in time?  Did we discover a certificate expiring soon and renew it in time?

It’s easy for a certificate to slip through the cracks.  Once the cert expires, the system is offline with a really unfriendly message for users.  Suddenly our site looks unsafe.

It’s often at this point when a customer calls to complain that we realize a certificate expired again.  Then we build a big, manual process to ensure it never happens again.  But sure enough, a month or two later, it happens again.

The solution

This Shoreline automation scans the cluster for certificates generated by CertManager and stored in k8s secrets or pod definitions. When a certificate is expiring soon (a configurable timeframe), the Shoreline automation calls k8s’s CertManager to renew the certificate. You’ll almost forget about certificate expiry with Shoreline’s certificate management Op Pack.

Highlights

Customer experience impact
Total outage
HIGH
Occurrence frequency
Every 90 days
LOW
Time to repair manually
1-2 manual hours
HIGH
Shoreline time to repair
1-2 minutes
LOW

Related Solutions

Rightsize Pod CPU & Memory Allocations
Reduce pod CPU and/or memory limits that are set too high.
Kubernetes
Endpoints Unreachable
Determine when there are no endpoints behind your Kubernetes service or these endpoints have become unreachable.
Kubernetes
Memory Exhaustion
Running out of memory rapidly degrades customer experience and must be preempted.
Kubernetes