Managing Kubernetes infrastructure TLS

Description

The NSP Kubernetes infrastructure certificates undergo automatic scheduled renewal, but manual renewal or replacement options are also available, as described below.

NSP Kubernetes registry

An NSP cluster communicates with the local Kubernetes registry to pull container images and Helm charts. You can replace the Kubernetes registry certificate, if required, as described in How do I update the Kubernetes registry TLS certificate?.

NSP deployer host

The NSP automatically renews the NSP deployer host TLS certificates twice annually, based on an internal schedule; no operator action is required.

You can, however, manually update the K3s certificate on the NSP deployer host, as may be required for security reasons, or, for example, if the NSP deployer host is shut down at the scheduled renewal time. See How do I update the K3s certificate for an NSP deployer host VM? for information.

NSP cluster VMs

The TLS certificates that secure the NSP cluster VM control plane renew automatically and silently monthly.

No alarm is raised for the expiry or renewal; however, the renewal action is logged in the /var/log/messages file on the NSP cluster host. The following is the starting log entry for a renewal operation:

timestamp node1-3 systemd: Starting Renew K8S control plane certificates...