expiration of self-signed certificates in kubernetes clusters

[xander-sh]

Hello. We provide CSE for internal dev team. How can we keep track of expiration of self-signed certificates in kubernetes clusters? I can run kubeadm alpha cert check-expiration on master node.

kubeadm alpha certs  check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Aug 14, 2021 11:45 UTC   140d            no
apiserver                  Aug 14, 2021 11:45 UTC   140d            no
apiserver-etcd-client      Aug 14, 2021 11:45 UTC   140d            no
apiserver-kubelet-client   Aug 14, 2021 11:45 UTC   140d            no
controller-manager.conf    Aug 14, 2021 11:45 UTC   140d            no
etcd-healthcheck-client    Aug 14, 2021 11:45 UTC   140d            no
etcd-peer                  Aug 14, 2021 11:45 UTC   140d            no
etcd-server                Aug 14, 2021 11:45 UTC   140d            no
front-proxy-client         Aug 14, 2021 11:45 UTC   140d            no
scheduler.conf             Aug 14, 2021 11:45 UTC   140d            no

Does CSE have some internal logic to keep track expiration certs?

[arunmk]

Currently CSE does not have an internal logic to track when the certs expire. There are thoughts on providing external CA which can make this process simpler as a future task. However that task is not yet planned.