Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1797

Hitless TLS Certificate Rotation for Kubernetes API

XMLWordPrintable

    • Product / Portfolio Work
    • None
    • 0% To Do, 0% In Progress, 100% Done
    • Hide

      Date : 8/13/2025
      Color Status: Green
      Status Summary:
      Have a number of PRs for bug fixes and test changes awaiting a good nightly.

      Show
      Date : 8/13/2025 Color Status: Green Status Summary: Have a number of PRs for bug fixes and test changes awaiting a good nightly.
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • None
    • None
    • None

      Feature Overview 

      OpenShift relies on internal certificates for communication between components, with automatic rotations ensuring security. For critical components like the API server, rotations occur via a rollout process, replacing certificates one instance at a time.

      In clusters with high transaction rates and SNO, this can lead to transient errors for in-flight transactions during the transition.

      This feature ensures seamless TLS certificate rotations in OpenShift, eliminating downtime for the Kubernetes API server during certificate updates, even under heavy loads or in SNO deployments.

              racedoro@redhat.com Ramon Acedo
              racedoro@redhat.com Ramon Acedo
              None
              None
              None
              Vadim Rutkovsky Vadim Rutkovsky
              Rahul Gangwar Rahul Gangwar
              Andrea Hoffer Andrea Hoffer
              Kyle Walker Kyle Walker
              Votes:
              1 Vote for this issue
              Watchers:
              17 Start watching this issue

                Created:
                Updated: