From c35d70d5e8a4059f4f2460a583f34d4bc218db76 Mon Sep 17 00:00:00 2001 From: Bjorn Neergaard Date: Wed, 25 Jan 2023 16:21:35 -0700 Subject: [PATCH] swarm: call out CA rotation as potentially dangerous with MKE Signed-off-by: Bjorn Neergaard --- engine/swarm/how-swarm-mode-works/pki.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/engine/swarm/how-swarm-mode-works/pki.md b/engine/swarm/how-swarm-mode-works/pki.md index 555349a9684..b077fdff364 100644 --- a/engine/swarm/how-swarm-mode-works/pki.md +++ b/engine/swarm/how-swarm-mode-works/pki.md @@ -60,6 +60,13 @@ reference for details. ## Rotating the CA certificate +> **Note** +> +> Mirantis Kubernetes Engine (MKE), formerly known as Docker UCP, provides an external +> certificate manager service for the swarm. If you run swarm on MKE, you shouldn't +> rotate the CA certificates manually. Instead, contact Mirantis support if you need +> to rotate a certificate. + In the event that a cluster CA key or a manager node is compromised, you can rotate the swarm root CA so that none of the nodes trust certificates signed by the old root CA anymore.