Edit

Update certificates in AKS enabled by Azure Arc

  • Article

Applies to: AKS on Azure Stack HCI 22H2, AKS on Windows Server

AKS Arc certificate management covers two layers of the stack. First, the infrastructure layer brings up AKS clusters on Windows Server or HCI nodes. This is referred to as the MOC (Microsoft On-premises Cloud) layer. The second layer is the AKS Kubernetes layer. This includes the Kubernetes infrastructure certificates auto-provisioned as part of the cluster bootstrapping.

The behavior of the certificates at the MOC layer and AKS Kubernetes layer has a few differences depending on two factors: cluster shutdown and cluster updates.

Certificate renewal dependencies on cluster shutdown

Shutdown MOC certificates AKS hybrid Kubernetes certificates
Shutdown less than 30 days Not impacted Impacted
Shutdown more than 30 days Impacted Impacted

Certificate renewal dependencies on cluster renewal

Cluster MOC certificates AKS hybrid Kubernetes certificates
Cluster updated within 90 days Not impacted Not impacted
Cluster not updated within 90 days Not impacted Not impacted

Commands for fixing certificates

Cluster MOC certificates AKS hybrid Kubernetes Control plane certificates
Management cluster Update-AksHciCertificates N/A
Target cluster Update-AksHciClusterCertificates -name -fixCloudCredentials Update-AksHciClusterCertificates -name -fixKubeletCredentials
Load balancer Update-AksHciClusterCertificates -name -patchLoadBalancer -fixCloudCredentials

When both MOC and AKS Kubernetes certificates are impacted

When the cluster has been shut down for more than 30 days, run the following commands in the following sequence:

  1. Update-AksHciCertificates (to fix management cluster certificates)
  2. Update-AksHciClusterCertificates –fixkubeletcredentials (to fix target cluster control plane certificates)
  3. Update-AksHciClusterCertificates –fixcloudcredentials (to fix target cluster MOC certificates)

Next steps