Kubernetes Certificate Rotation

Sooner or later every company gets bitten by expired certificates and when they do, it can cause a catastrophic outage.

Kubernetes

The problem

Kubernetes has some magic sauce to automatically renew certificates before they expire. The built-in CertManager is a great tool for getting new certificates.  But are certificates renewed in time?  Did we discover a certificate expiring soon and renew it in time?

It’s easy for a certificate to slip through the cracks.  Once the cert expires, the system is offline with a really unfriendly message for users.  Suddenly our site looks unsafe.

It’s often at this point when a customer calls to complain that we realize a certificate expired again.  Then we build a big, manual process to ensure it never happens again.  But sure enough, a month or two later, it happens again.

The solution

This Shoreline automation scans the cluster for certificates generated by CertManager and stored in k8s secrets or pod definitions. When a certificate is expiring soon (a configurable timeframe), the Shoreline automation calls k8s’s CertManager to renew the certificate. You’ll almost forget about certificate expiry with Shoreline’s certificate management Op Pack.

Highlights

Customer experience impact
Total outage
HIGH
Occurrence frequency
Every 90 days
Low
Shoreline time to repair
1-2 minutes
LOW
Time to diagnose manually
Security
Cost impact
Time to repair manually
1-2 manual hours
High

Related Solutions