Hi all,

We have received mails/notifications about a required rotation of the cluster's CA which will soon expire:

"The cluster Certificate Authority is going to expire on 2024-07-06. You must rotate the cluster credentials before its expiry to prevent cluster outage. If no action is taken, Google will attempt to rotate the cluster credentials within 30 days of expiry as a last resort to keep the cluster operational. If you have already started the rotation process, please complete the rotation."

We have completed this rotation quite straightforwardly on our staging GKE environment, and the warning notification within the cluster tab on the dashboard promptly disappeared. 

We have completed the same steps on the production GKE environment (including the complete-credential-rotation step), and a describe on the cluster also confirms that that the  certificate dates have been updated correctly:

gcloud container clusters describe platform-cluster-1 --region europe-west3-a --format "value(masterAuth.clusterCaCertificate)" --project my-project-name | base64 --decode | openssl x509 -noout -dates
notBefore=May 23 07:27:21 2024 GMT
notAfter=May 16 08:27:21 2054 GMT

What is bugging me however is that for the last day the expiration warning notification remains present on the cluster's dashboard, stating that it will expire early July. Given that a 'last resort' automatic rotation will be performed one month in before expiry, I'm concerned that this might take place in the coming weeks. 

Is it possible that these warnings are 'outdated' even though still present? Are there any ways to verify that the cluster credential is indeed rotated correctly (or not)?

thanks in advance!