Better alerts for AKS certificate expiration, or rotate certificates automatically
Yesterday we have considerable downtime on two of our AKS clusters. The problem was that AKS clusters created prior to March 2019 have certificates that expire after two years.
Ours was created two years ago yesterday and we had to rotate the certificates to get them working again.
Two feedback items around this.
1) There was little information on this online. We feel this was very under-communicated from Microsoft / AKS. Also there was no alerts or anything that this certificate was expiring. I know the expiry has been changed to 30 years now, but there must be many clusters which are still to expire as happened to ours. There should be more alerts, notifications letting Azure customers know that certificate is expiring and action needs to be taken.
2) As the API side of Kubernetes in AKS is managed we would feel that this certificate was Microsofts responsibility, not ours. Maybe there is a way that these certificates can be rotated automatically?