SKS Certificates and API Keys

Certificates Authorities

Several certificates authorities are generated when you create a cluster. You can retrieve the public certificate for some of these authorities by using the exo compute sks authority-cert <CLUSTER-NAME|ID> <AUTHORITY> command in the CLI.

The authorities are:

  • kubelet: the authority generating certificates for the Kubelet daemon running on the workers.
  • aggregation: the authority used by the aggregation layer.

Addon credentials

Both the Exoscale Cloud Controller Manager CCM and Exoscale Container Storage Interface CSI addons need a set of credentials to communicate with the platform. An IAM role and api key are created automatically per-addon and per-cluster on your account when you create or update a cluster with addons selected. The lifecycle of these credentials is managed by Exoscale. They are deleted automatically once the cluster is deleted.

Credentials managed by Exoscale SKS all have following naming scheme: sks-<addon>-<cluster-id> eg. sks-ccm-859ece7e-f4ec-4eab-a77f-d06a1cfc08fd

In case of unintended deletion of the credentials one can rotate specific credentials

  • from the CLI exo compute sks rotate-ccm-credentials <CLUSTER-NAME|ID> or soon exo compute sks rotate-csi-credentials <CLUSTER-NAME|ID>
  • from the Portal under cluster details