Tanzu Kubernetes Grid Integrated Edition Certificates
Page last updated:
This topic summarizes Tanzu Kubernetes Grid Integrated Edition (TKGI) certificates and how to rotate them.
Overview of TKGI Certificates
TKGI secures all communication between TKGI control plane components and TKGI-managed Kubernetes clusters with RSA Certificate Authority (CA) certificates and leaf certificates that they issue:
- Non-configurable certificates rotate automatically with selected TKGI tile upgrades.
- Configurable certificates must be periodically checked for expiration dates and rotated.
All TKGI control plane and tile certificates are stored in CredHub.
For more information, see Certificate Types in the Ops Manager documentation.
Rotating Certificates
TKGI certificates fall into different types based on where they are used, and how you check expirations and rotate them.
With NSX-T networking, TKGI uses additional certs that you must register with the NSX Manager after rotation.
The following table lists these types and their check and rotation procedures:
Used By | Configurable? | How to Rotate |
---|---|---|
TKGI Control Plane | N* | Rotate TKGI Control Plane Certificates |
TKGI Control Plane (NSX-T) | Y | Rotating the Certificate and Key in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key |
TKGI Control Plane and Clusters, Shared | N* | Rotate Shared Cluster Certificates |
Unique to Cluster | Y | Rotate Cluster-Specific Certificates Rotate Cluster-Specific NSX-T Certificates |
*Non-configurable certificates rotate with tile upgrade and do not ordinarily require manual rotation.
Please send any feedback you have to pks-feedback@pivotal.io.