Kubernetes CA rotation gstg/gprd
The existing Kubernetes CA in gstg-gitlab-gke and gprd-gitlab-gke is going to expire in:
-
gstg-gitlab-gke- 2024-06-24 -
gprd-gitlab-gke- 2024-10-08
This requires manual intervention to make sure we rotate the CA without impact/outage to the workloads and deployments.
Steps for rotation are available in the official GKE documentation.
Timing is important here, GKE automatically starts a CA rotation 30 days before it expires.
Validate
-
Workload static ServiceAccount secrets/tokens -
Switch them to short-lived tokens if possible, otherwise rotate them once the new CA is created
-
-
Deployment/CI ServiceAccount tokens, rotate them once the new CA is created
Edited by Pierre Guinoiseau