Kubernetes Certificate Rotation
While Kubernetes has a built-in CertManager for getting new certificate, it's quite common to miss the deadline on expiring certificates, leading to catastrophic outages.
Kubernetes has some magic sauce to automatically renew certificates before they expire. The built-in CertManager is a great tool for getting new certificates. But are certificates renewed in time? Did we discover a certificate expiring soon and renew it in time?
It’s easy for a certificate to slip through the cracks. Once the cert expires, the system is offline with a really unfriendly message for users. Suddenly our site looks unsafe.
It’s often at this point when a customer calls to complain that we realize a certificate expired again. Then we build a big, manual process to ensure it never happens again. But sure enough, a month or two later, it happens again.
This Shoreline automation scans the cluster for certificates generated by CertManager and stored in k8s secrets or pod definitions. When a certificate is expiring soon (a configurable timeframe), the Shoreline automation calls k8s’s CertManager to renew the certificate. You’ll almost forget about certificate expiry with Shoreline’s certificate management Op Pack.