Comments (21)
@brandond looks like this isn't going to make it in the milestone; moving to next.
from rke2-docs.
I have configured k3s cluster with muli-master by having own CA certs & all looks good (followed the link for the same k3s-io/k3s#1868). Rotating of certs also works after restarting k3s on all 3 masters. But what is the process to rotate CA certs, If I rotate CA certs cluster won't start due to etcd issue. Any one tried this before, Please share your experience
from rke2-docs.
@caroline-suse-rancher @brandond @wjimenez5271 as we've been getitng this request a lot I think it makes sense to start looking into it for inclusion into 1.26
from rke2-docs.
For k3s, these commands generate certificates very close to those generated during a k3s v1.19.5+k3s1 fresh installation (using elliptic curves):
openssl ecparam -name prime256v1 -genkey -noout -out client-ca.key
openssl ecparam -name prime256v1 -genkey -noout -out server-ca.key
openssl ecparam -name prime256v1 -genkey -noout -out request-header-ca.key
openssl req -x509 -set_serial 0 -new -key client-ca.key -sha256 -days 7305 -out client-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-client-ca'
openssl req -x509 -set_serial 0 -new -key server-ca.key -sha256 -days 7305 -out server-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'
openssl req -x509 -set_serial 0 -new -key request-header-ca.key -sha256 -days 7305 -out request-header-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-request-header-ca'
I have noticed two differences:
- For the original certificates, the CN is suffixed with a timestamp, looking like that:
CN = k3s-client-ca@1608074122
. Is-it important to add this timestamp? Can k3s work correctly without it? - A small difference, openssl is adding the X509v3 extensions "Authority Key Identifier", but it must not be an issue.
from rke2-docs.
Please provide information to allow us to use an external CA to sign either the RKE2 CA or the individual certs.
from rke2-docs.
It would also be nice if we could add the information on
- how to replace the CA after deployment
- how to use an intermediate CA instead of a root CA
from rke2-docs.
Wholesale replacement of the CAs isn't likely to work, since all of the tokens and certificates within the cluster end up signed using the initial CAs. You could should be able to renew or cross-sign them, but that's about it.
Use of an intermediate CA isn't currently supported, as the certificate auto-renew code will re-sign the certs using their own key (turning them back into self-signed root CAs) when they are about to expire.
from rke2-docs.
Yeah - I believe we might need to re-think the big picture of using / providing and managing certificates... having so many different CAs, monitoring and maintaining them / replacing them is not very user and customer friendly and I am still not sure I understand why it was build in a way where we have to have several CAs for each K8S cluster...
from rke2-docs.
That's how Kubernetes works? Regardless of whether it's self-managed via kubeadm, or a hosted offering such as EKS - they all have multiple self-signed CA certs that are unique to that cluster.
from rke2-docs.
That's how Kubernetes works? Regardless of whether it's self-managed via kubeadm, or a hosted offering such as EKS - they all have multiple self-signed CA certs that are unique to that cluster.
Yes - I just do not understand the "why" as I do not see the sense behind having so many different CAs... ;-). I would expect an hierarchy with one root CA (self signed or external) and maybe some intermediates in customer environments... I might need to dig deeper...
from rke2-docs.
So if I followed the steps here: k3s-io/k3s#1868 (comment)
And s/k3s/rke2
in the file path, RKE2 will roll with the provided keys in that directory?
Edit, yes, the answer is yes that does work!
from rke2-docs.
This is the summary of what we offer for this feature in rke1 compared to rke2
RKE1
- rke1 provides a subcommand for generating the csrs:
rke cert generate-csr
- the csrs will contain the right CN/Org/SANS that the certs should be provisioned with
- rke1 contain a flag to point to a custom cert directory instead of generating self signed certs:
rke up --custom-certs --certs-dir <path/to/certs/dir>
K3S/RKE2
As explained in the issue, the user will need to issue the certs/keys and place them in the right places before starting rke2/k3s, as for using a custom CA (or real CA), I dont think it will fully work unless you provide the CA cert/key which is not always the case if you are using a real CA (you can only provide a certificate), reference: https://github.com/k3s-io/k3s/blob/master/pkg/daemons/control/deps/deps.go#L553-L556
from rke2-docs.
@galal-hussein regarding this point:
as for using a custom CA (or real CA), I dont think it will fully work unless you provide the CA cert/key which is not always the case if you are using a real CA (you can only provide a certificate)
How does this compare to RKE1? From this bit of documentation:
https://rancher.com/docs/rke/latest/en/installation/certs/#certificates
I take it that RKE1 will similarly require CA certs and keys.
from rke2-docs.
@galal-hussein regarding this point:
as for using a custom CA (or real CA), I dont think it will fully work unless you provide the CA cert/key which is not always the case if you are using a real CA (you can only provide a certificate)
How does this compare to RKE1? From this bit of documentation:
https://rancher.com/docs/rke/latest/en/installation/certs/#certificates
I take it that RKE1 will similarly require CA certs and keys.
no it just requires the CA which you can get however the key doesnt exist because it belongs to the CA, so rke2 similarly should only check for the ca certificate, however the code right now check for boths
from rke2-docs.
There is a discussion on this topic at https://stackoverflow.com/questions/67995687/which-of-the-elliptic-curves-are-supported-for-the-kubernetes-certificates
from rke2-docs.
@galal-hussein @brandond Do we plan on doing anything with this for this release or move it to backlog?
from rke2-docs.
This would be extremely helpful. There is currently a user asking about this for k3s
from rke2-docs.
Documenting custom CA certificate generation is an easy enough task, assuming we can hold on to the requirement that the certs must be generated before the cluster starts.
Supporting rotation or renewal of the cluster CAs may be slightly more difficult, as the node join workflow currently checks the hash of the certificate, and any changes (such as extending its expiration) will invalidate that and cause the node to fail to validate the cluster cert next time it restarts, if that node is using the full K10
format token. So we'll probably need to fix that first.
from rke2-docs.
We should also make sure we cover using intermediate CAs, as described at rancher/rke2#3650.
from rke2-docs.
@brandond @cwayne18 @galal-hussein Seeing if there is an update on this issue. Currently supporting a customer that is requiring for RKE2 deployment
from rke2-docs.
Addressed by #101
from rke2-docs.
Related Issues (20)
- Document antivirus restrictions to avoid performance impacts HOT 4
- [Epic] Reach Parity with K3s docs
- Consolidate Etcd Backup pages
- Update CIS information with CIS-1.7 and new Generic CIS profile
- Update system-upgrade-controller version in RKE2 Automated Upgrades doc HOT 1
- Troubleshooting guidance for etcd HOT 1
- How to disable rke2 snapshot controller charts HOT 1
- rke2 logo duplicated and not changing in firefox on main page.
- No storage requirement detailed on Docs HOT 3
- Local-storage is not included on RKE2
- Expand server/agent config reference to include full config.yaml spec on consolidated page HOT 12
- Update Packaged Components Information
- Update docs to provide firewalling advice/guidance HOT 4
- Links release notes mixed HOT 3
- Update the RKE2 cluster reset procedure to include the backup and delete of db files. HOT 1
- STIG default umask of 077 and CIS-1.23 prevents etcd from starting HOT 1
- Add backlink to rancher.com to header
- kubeapi server arg incorrect HOT 2
- Please update the documentation on HelmChart resource usage and available variables in RKE2.
- Clearer upgrade documentation, variation for agent nodes HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rke2-docs.