# Configuring Certificate Renewal ## Prerequisites The commands in this section must be run on every instance: `controller-0`, `controller-1`, `controller-2`, `worker-0`, `worker-1`, and `worker-2`. Login to each instance using the `gcloud` command. Example: ``` gcloud compute ssh controller-0 ``` ## Download certificate management tools Run each command on every node. Download the `step` CLI binary: ``` wget -q --show-progress --https-only --timestamping \ "https://dl.step.sm/gh-release/cli/gh-release-header/v0.18.0/step_linux_0.18.0_amd64.tar.gz" ``` Install the binary: ``` tar -xvf step_linux_0.18.0_amd64.tar.gz sudo mv step_0.18.0/bin/step /usr/local/bin/ ``` ## Bootstrap with the CA Configure the host to trust your Certificate Authority: ``` { STEP_CA_URL=$(gcloud compute project-info describe --format='get(commonInstanceMetadata.items.STEP_CA_URL)') STEP_CA_FINGERPRINT=$(gcloud compute project-info describe --format='get(commonInstanceMetadata.items.STEP_CA_FINGERPRINT)') sudo step ca bootstrap \ --ca-url "${STEP_CA_URL}" \ --fingerprint "${STEP_CA_FINGERPRINT}" } ``` Output: ``` The root certificate has been saved in /root/.step/certs/root_ca.crt. The authority configuration has been saved in /root/.step/config/defaults.json. ``` ## Set up the certificate renewal timer We'll use a systemd timer to renew certificates when they are 2/3rds of the way through their validity period. Install the systemd certificate renewal service and timer. ``` cat << EOF | sudo tee /etc/systemd/system/cert-renewer@.service [Unit] Description=Certificate renewer for %I After=network-online.target Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production StartLimitIntervalSec=0 [Service] Type=oneshot User=root Environment=STEPPATH=/etc/step-ca \\ CERT_LOCATION=/etc/step/certs/%i.crt \\ KEY_LOCATION=/etc/step/certs/%i.key ; ExecCondition checks if the certificate is ready for renewal, ; based on the exit status of the command. ; (In systemd <242, you can use ExecStartPre= here.) ExecCondition=/usr/local/bin/step certificate needs-renewal \${CERT_LOCATION} ; ExecStart renews the certificate, if ExecStartPre was successful. ExecStart=/usr/local/bin/step ca renew --force \${CERT_LOCATION} \${KEY_LOCATION} [Install] WantedBy=multi-user.target EOF ``` Install the timer: ``` cat << EOF | sudo tee /etc/systemd/system/cert-renewer@.timer [Unit] Description=Certificate renewal timer for %I Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production [Timer] Persistent=true ; Run the timer unit every 5 minutes. OnCalendar=*:1/5 ; Always run the timer on time. AccuracySec=1us ; Add jitter to prevent a "thundering hurd" of simultaneous certificate renewals. RandomizedDelaySec=5m [Install] WantedBy=timers.target EOF ``` # Controller Certificate Renewal ## Prerequisites The commands in this section must be run on every controller: `controller-0`, `controller-1`, `controller-2`. Login to each instance using the `gcloud` command. Example: ``` gcloud compute ssh controller-0 ``` ## Configure certificate renewal for etcd Create and start a certificate renewal timer for etcd: ``` sudo mkdir /etc/systemd/system/cert-renewer@etcd.service.d cat < Remember to run the above commands on each controller node: `controller-0`, `controller-1`, and `controller-2`. # Worker Certificate Renewal ## Prerequisites The commands in this section must be run on every worker: `worker-0`, `worker-1`, and `worker-2`. Login to each instance using the `gcloud` command. Example: ``` gcloud compute ssh worker-0 ``` ## Configure Certificate Renewal for `kubelet.service` Install the a renewal service that will restart `kubelet.service` when the certificate is renewed: ``` sudo mkdir /etc/systemd/system/cert-renewer@kubelet.service.d cat < Remember to run the above commands on each controller node: `worker-0`, `worker-1`, and `worker-2`.