Rotation of Expired Webhook Certificates
For Rancher versions that have rancher-webhook
installed, certain versions created certificates that will expire after one year. It will be necessary for you to rotate your webhook certificate if the certificate did not renew.
In Rancher v2.6.3 and up, rancher-webhook deployments will automatically renew their TLS certificate when it is within 30 or fewer days of its expiration date. If you are using v2.6.2 or below, there are two methods to work around this issue:
1. Users with cluster access, run the following commands:
kubectl delete secret -n cattle-system cattle-webhook-tls
kubectl delete mutatingwebhookconfigurations.admissionregistration.k8s.io --ignore-not-found=true rancher.cattle.io
kubectl delete pod -n cattle-system -l app=rancher-webhook
2. Users with no cluster access via kubectl
:
Delete the
cattle-webhook-tls
secret in thecattle-system
namespace in the local cluster.Delete the
rancher.cattle.io
mutating webhookDelete the
rancher-webhook
pod in thecattle-system
namespace in the local cluster.
note
The webhook certificate expiration issue is not specific to cattle-webhook-tls
as listed in the examples. You will fill in your expired certificate secret accordingly.