Tanzu Kubernetes Grid Integrated Edition Certificates

Page last updated:

This topic summarizes Tanzu Kubernetes Grid Integrated Edition (TKGI) certificates and how to rotate them.

Overview of TKGI Certificates

TKGI secures all communication between TKGI control plane components and TKGI-managed Kubernetes clusters using Transport Layer Security (TLS) validated by RSA Certificate Authority (CA) certificates and leaf certificates that they issue:

  • Non-configurable certificates rotate automatically with selected TKGI tile upgrades.
  • Configurable certificates must be periodically checked for expiration dates and rotated.

All TKGI control plane and tile certificates are stored in CredHub.

For more information, see Certificate Types in the Ops Manager documentation.

Per-Cluster CA

TKGI supports a per-cluster CA for Kubernetes clusters. Kubernetes clusters provisioned by TKGI no longer use a shared CA.

By default TKGI creates a new CA for each new or updated cluster. TKGI manages the lifecycle of the per-cluster CA and the certificates it signs.

There is no action required to use the new per-cluster CA.

Rotating Certificates

TKGI certificates fall into different types based on where they are used, and how you check expirations and rotate them.

With NSX-T networking, TKGI uses additional certs that you must register with the NSX Manager after rotation.

The following table lists these types and their check and rotation procedures:

Used By Configurable? How to Rotate
TKGI Control Plane N* Rotate TKGI Control Plane Certificates
TKGI Control Plane (NSX-T) Y Rotate the Principal Identity Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key
Kubernetes clusters provisioned by TKGI Y Rotate Cluster Certificates
Rotate Cluster with NSX-T Certificates

*Non-configurable certificates rotate with tile upgrade and do not ordinarily require manual rotation.

Please send any feedback you have to pks-feedback@pivotal.io.