Update certificates in AKS enabled by Azure Arc
Applies to: AKS on Azure Stack HCI 22H2, AKS on Windows Server
AKS Arc certificate management covers two layers of the stack. First, the infrastructure layer brings up AKS clusters on Windows Server or HCI nodes. This is referred to as the MOC (Microsoft On-premises Cloud) layer. The second layer is the AKS Kubernetes layer. This includes the Kubernetes infrastructure certificates auto-provisioned as part of the cluster bootstrapping.
The behavior of the certificates at the MOC layer and AKS Kubernetes layer has a few differences depending on two factors: cluster shutdown and cluster updates.
Certificate renewal dependencies on cluster shutdown
| Shutdown | MOC certificates | AKS enabled by Arc Kubernetes certificates |
|---|---|---|
| Shutdown less than 30 days | Not impacted | Impacted |
| Shutdown more than 30 days | Impacted | Impacted |
Certificate renewal dependencies on cluster renewal
| Cluster | MOC certificates | AKS enabled by Arc Kubernetes certificates |
|---|---|---|
| Cluster updated within 90 days | Not impacted | Not impacted |
| Cluster not updated within 90 days | Not impacted | Not impacted |
Commands for fixing certificates
| Cluster | MOC certificates | AKS enabled by Arc Kubernetes Control plane certificates |
|---|---|---|
| Management cluster | Update-AksHciCertificates |
N/A |
| Target cluster | Update-AksHciClusterCertificates -name -fixCloudCredentials |
Update-AksHciClusterCertificates -name -fixKubeletCredentials |
| Load balancer | Update-AksHciClusterCertificates -name -patchLoadBalancer -fixCloudCredentials |
When both MOC and AKS Kubernetes certificates are impacted
When the cluster has been shut down for more than 30 days, run the following commands in the following sequence:
Update-AksHciCertificates(to fix management cluster certificates).Update-AksHciClusterCertificates –fixkubeletcredentials(to fix target cluster control plane certificates).Update-AksHciClusterCertificates –fixcloudcredentials(to fix target cluster MOC certificates).