-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[design doc] Certificate Rotation #4271
Comments
Adding more information to the issue, this will include some information about how we implement and generate certificates in k3s/rke2: Server NodeGenerating certs in server nodes is divided into 4 function calls: genClientCerts()This function generates the following certs:
Note: k3s/rke2 generates a kubeconfig for each of these components that uses the certs except for the client-rke2-controller cert and key. genServerCerts()This function generates the following certs:
genRequestHeaderCerts()
genETCDCerts()
Agent NodeAgent gets its own certificates for kube proxy and kubelet in agent/config/config.go in get() function, basically it calls server with the --token and --server url to acquire the following certs: serving-kubelet.crt / serving-kubelet.key (to be used with kubelet’s api server)A request is initiated from the agent to the server on URI /v1-rke2/serving-kubelet.crt. The server will generate this using the serving kubelet key it generated earlier (see above in genServerCerts() section) client-kubelet.crt/client-kubelet.key (to be used in kubelet’s kubeconfig file)A request is initiated from the agent to the server on URI /v1-rke2/client-kubelet.crt. The server will handle this request and generates a cert and key signed by client-ca.crt client-kube-proxy.crt/client-kube-proxy.key (to be used in kubeproxy’s kubeconfig)A request is initiated from the agent to the server on URI /v1-rke2/client-kubeproxy.crt. The server will handle this request and generates a cert and key signed by client-ca.crt client-rke2-controller.crt/client-rke2-controller.keyA request is initiated from the agent to the server on URI /v1-rke2/client-rke2-controller.crt. The server will handle this request and returns back the cert it generated earlier for the controller |
Brian would like to leave this issue open as it outlines an additional work part of the epic that isn't complete. The client didn't ask for it, but it's a doc that represents all of the necessary features that will be implemented at some point. Those individual features would be linked against it. |
This can be closed for now until the other features are asked for from a customer or otherwise needed. The initial design and implementation meets all requirements. |
Problem Statement
K3s has no facilities to regenerate certificates once generated. Certificates are generated when the node bootstraps and those certificates are used through the course of the node's lifetime. The features outlined before are based on an analysis of RKE's features and capabilities for certificate rotation.
Proposal
We want to add an additional sub-command, "cert", to
k3s
andrke2
. This sub-command will have additional commands underneath it. Any "write" operation will perform a backup of the resource prior to performing the requested action. These backups will be placed in a directory named with the UNIX timestamp in the tls directory.Items marked TBD are out of scope for this round of development effort.
rotate
:extend-expiry
: TBDinfo
: TBDgenerate-csr
: TBDExamples
Additional Considerations
The DynamicListener component manages it's own certificate / key pair and this certificate should be rotated with the rest. The DynamicListener receives a "config" value for it's configuration. To avoid changing the public API, we can add a field to the config struct of type
func() bool
. K3s will set this function after determining whether or not certificates need to be regenerated by looking for a file on disk set by thek3s cert rotate
command.The Rancher integration would be done via the System-Agent receiving a "certificate-rotation" plan populated with the necessary commands to perform the rotation.
Alternative Approaches
Related Issues
LOE Estimate
The text was updated successfully, but these errors were encountered: