The Common Services cluster contains internal Kubernetes (k8s) certificates that require manual rotation. These certificates are not rotated automatically or during a cluster upgrade. Rotate the certificates before they expire to prevent cluster failure.
Use these commands to rotate the certificates or to check when they expire.
Command |
Description |
ccm rotate-cluster-certificates
|
Rotate internal certificates before they expire. Run this command during a maintenance window. The rotation process can take up to two hours to complete. |
ccm release cert-manager getcerts -id --output-format short
|
Check the expiration date for your internal cluster certificates. If any certificates in the list expire, your cluster could become unusable. The following is an example of the output for this command: # ccm release cert-manager getcerts -id --output-format short
| validFrom | validTo | Issuer | SUBJECT | SAN
"Fri Jun 17 23:24:17 UTC 2022","Sat Jun 17 23:17:08 UTC 2023","O=Avaya, CN=Certificate Manager CA","CN=flex-81, C=US, OU=MGMT, O=AVAYA","dNSName=flex-81"
"Sat Jun 18 00:00:43 UTC 2022","Sun Jun 18 00:00:42 UTC 2023","O=Avaya, CN=Certificate Manager CA","CN=rbac-service, C=US, OU=MGMT, O=AVAYA","uniformResourceIdentifier=spiffe://cluster.local/ns/default/sa/rbac-service, dNSName=rbac-service.default.svc"
. . . |
