New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow CA issuer secret rotation #2478
Comments
Instead of the CA issuer generating its own certificate, you should use the self signed issuer type to automatically handle renewing the CA certificate. That said, the CA issuer should have a mechanism for rotating all leafs under the root, as this is a generally useful thing. The steps you've suggested do make sense, however I'm concerned that if cert-manager is too opinionated here then we'll build an API that works for nobody - I'd rather cert-manager provider API primitives that allow for different rotation strategies to be built, and then provide a sane default implementation perhaps like you've described. Right now, trust distribution isn't handled by cert-manager - in some cases, reading the |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
/area ca |
We suffer the same issue, we are using kiam and have setup an issuer with a self signed CA cert, but if the CA cert renews, the old server and agent certs are no longer valid, often resulting in an outage forcing us to remove the agent and server cert secrets to let it generate new ones. Would be greate if there could be a dependency chain or something where we could link the agent/server certs to the CA cert and have them renew when the CA cert does. @munnerz is that the kind of thing you were thinking? how are people handling this today, we basically have a kiam outage every 3 months resulting in some downtime and manual intervention which is becoming painful, often the CA cert will renew leaving the agent/server certs invalid until they renew which may or may not be shortly after the CA cert. |
This is something we've been planning to do for a while but isn't easy to execute properly. It is on our longer term roadmap, however PRs are always welcome |
I think the solution here requires preserving both the old and new CA key for some overlapping period during the renewal. This also means publishing a "caBundle" rather than just a single CA in secret/ca.crt, etc.
For cert-manager, I think this means we need a way to keep both keys around somehow. (cainjector should obviously also be updated to inject multiple CA certs.) |
For the specific case of setting up an internal CA to use for kubernetes webhooks and API services, tell the CA injector to inject from the issued certificate instead of referencing the certificate issued to the CA. This works because:
A similar approach may be suitable for some other use cases. |
Given the realization shared in my prior comment, you only need to re-issue certificates if clients cannot be told to trust the CA cert in the issued certificates instead of trusting the current CA cert that would be issued for issuance. Not sure if that helps with kiam, I don't know how that is setup. |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
We have an issue where we have these:
Details on the resources:
The problem is, if Automatically reissuing the certificates issued by a CA if its certificate change seems like the most obvious solution. (I'm not exactly sure how our app validates the cert - the microservices might be using the ca.crt from its own certificate secret (I only left 1 app cert in the examples above to keep it shorter) Edit: I'll need to double check exactly where in the |
So ... I understand the issue, and how it has not yet been resolved.. quick question though. If we need to rely on making sure that our applications mount in the actual certificate authority |
I guess you're not really rotating the CA key here, though, you're just issuing a new certificate with new expiry dates. |
chiming in to say that exactly this happened to me 3 months after setting up the documented self-signed > CA Issuer > certificate chain, and the solution to this problem is absolutely not obvious |
Issues go stale after 90d of inactivity. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
I feel like these are related:
Although the suggestion there is to manually copy issued CA certs into the bundle. I feel that an automated solution to maintain previous CA certs would still be valuable, maybe a new CRD called RotatingIssuer or something. |
We hit this on a webhook today. |
Just think out load on the implementation, would it be possible to add a new field in the In which case if the The implementation could be a reconciler watch the secrets and delete secrets that issued by this issuer. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Any updates on this issue? Are there any plans to get such feature as Our current solution is so watch the CA for rotation in our operator and then manually delete the corresponding leaf certs. |
Hey JeremyHarisch, Borrowing from anguslees' comment have your CA last at least twice as long as the child cert. For example |
This isn't true the way things are now. Currently if the CA secret is re-issued the old CA certificate is not retained. If there's a process that fetches the CA directly and tries to use it to validate a cert issued by the old CA secret, it fails. The only way to gracefully transition is if you have two CA secrets active at once, one to validate previously issued certificates and one to validate newly issued certificates. You have to keep the old CA cert until all the certificates it signed have been rotated. Note that there's an important difference between rotating the CA certificate (the public part) and the CA secret (the private part). You can re-issue the public certificate for the CA without invalidating the existing certificates; the public and private key in this case don't change, only the metadata like issue and expiry dates, so the old signatures are still valid. If you rotate the secret part (the private key) you also have to change the public key, so the old signatures will no longer match. The request here is to support the case where the CA secret can be rotated, not just re-issuing a new certificate for the same key pair. In this case we want the old CA public key to be retained and used to validate certificates until the old certificates are reissued using the new CA key pair. If that's too difficult, cert-manager could at least automatically re-issue all the previously issued certificates using the new CA key pair as quickly as possible to reduce downtime. |
We ran into this today. Our go-forward solution probably includes no longer creating ClusterIssuers. IIUC we can get the same effect without this problem by leveraging trust manager to make a CA bundle available for any local namespace level Issuer, so we will probably switch to namespace specific issuers if the above works as we hope. |
Issues go stale after 90d of inactivity. |
/remove-lifecycle stale |
Is your feature request related to a problem? Please describe.
The CA issuer will automatically rotate secrets for the secrets it generates, but what about rotating its own secret and certificate? What happens when its certificate expires? Anything trusting the secrets it generates will break. And if you give it a new secret? Well now either you have to instantly renew all certificates and make everything pick up those certificates at the same time. There has to be a better way.
Describe the solution you'd like
Provide the ability to configure multiple secrets (or at least, one secret, and additional certs). The additional certs are configured in k8s secrets as additional certs that a consumer should trust. Consumers can pick up these additional certs, and them to the list of root cas they trust. Now, it is possible to rotate ca certificates, without ever having something not trusting a certificate that should be trusted, with the following procedure:
Describe alternatives you've considered
I don't know if there are any alternatives - as discussed above, there's no other way to rotate root certificates without risking an outage.
/kind feature
The text was updated successfully, but these errors were encountered: