Need to document steps for manual CA certificate generation / rotation about rke2-docs HOT 21 CLOSED

@brandond looks like this isn't going to make it in the milestone; moving to next.

from rke2-docs.

I have configured k3s cluster with muli-master by having own CA certs & all looks good (followed the link for the same k3s-io/k3s#1868). Rotating of certs also works after restarting k3s on all 3 masters. But what is the process to rotate CA certs, If I rotate CA certs cluster won't start due to etcd issue. Any one tried this before, Please share your experience

from rke2-docs.

@caroline-suse-rancher @brandond @wjimenez5271 as we've been getitng this request a lot I think it makes sense to start looking into it for inclusion into 1.26

from rke2-docs.

For k3s, these commands generate certificates very close to those generated during a k3s v1.19.5+k3s1 fresh installation (using elliptic curves):

openssl ecparam -name prime256v1 -genkey -noout -out client-ca.key
openssl ecparam -name prime256v1 -genkey -noout -out server-ca.key
openssl ecparam -name prime256v1 -genkey -noout -out request-header-ca.key

openssl req -x509 -set_serial 0 -new -key client-ca.key         -sha256 -days 7305 -out client-ca.crt         -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-client-ca'
openssl req -x509 -set_serial 0 -new -key server-ca.key         -sha256 -days 7305 -out server-ca.crt         -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-server-ca'
openssl req -x509 -set_serial 0 -new -key request-header-ca.key -sha256 -days 7305 -out request-header-ca.crt -addext keyUsage=critical,digitalSignature,keyEncipherment,keyCertSign -subj '/CN=k3s-request-header-ca'

I have noticed two differences:

• For the original certificates, the CN is suffixed with a timestamp, looking like that: CN = k3s-client-ca@1608074122. Is-it important to add this timestamp? Can k3s work correctly without it?
• A small difference, openssl is adding the X509v3 extensions "Authority Key Identifier", but it must not be an issue.

from rke2-docs.

Please provide information to allow us to use an external CA to sign either the RKE2 CA or the individual certs.

from rke2-docs.

It would also be nice if we could add the information on

1. how to replace the CA after deployment
2. how to use an intermediate CA instead of a root CA

from rke2-docs.

Wholesale replacement of the CAs isn't likely to work, since all of the tokens and certificates within the cluster end up signed using the initial CAs. You could should be able to renew or cross-sign them, but that's about it.

Use of an intermediate CA isn't currently supported, as the certificate auto-renew code will re-sign the certs using their own key (turning them back into self-signed root CAs) when they are about to expire.

from rke2-docs.

Yeah - I believe we might need to re-think the big picture of using / providing and managing certificates... having so many different CAs, monitoring and maintaining them / replacing them is not very user and customer friendly and I am still not sure I understand why it was build in a way where we have to have several CAs for each K8S cluster...

from rke2-docs.

That's how Kubernetes works? Regardless of whether it's self-managed via kubeadm, or a hosted offering such as EKS - they all have multiple self-signed CA certs that are unique to that cluster.

from rke2-docs.

That's how Kubernetes works? Regardless of whether it's self-managed via kubeadm, or a hosted offering such as EKS - they all have multiple self-signed CA certs that are unique to that cluster.

Yes - I just do not understand the "why" as I do not see the sense behind having so many different CAs... ;-). I would expect an hierarchy with one root CA (self signed or external) and maybe some intermediates in customer environments... I might need to dig deeper...

from rke2-docs.

So if I followed the steps here: k3s-io/k3s#1868 (comment)

And s/k3s/rke2 in the file path, RKE2 will roll with the provided keys in that directory?

Edit, yes, the answer is yes that does work!

from rke2-docs.

This is the summary of what we offer for this feature in rke1 compared to rke2

RKE1

• rke1 provides a subcommand for generating the csrs:

rke cert generate-csr

• the csrs will contain the right CN/Org/SANS that the certs should be provisioned with
• rke1 contain a flag to point to a custom cert directory instead of generating self signed certs:

rke up --custom-certs --certs-dir <path/to/certs/dir>

K3S/RKE2

As explained in the issue, the user will need to issue the certs/keys and place them in the right places before starting rke2/k3s, as for using a custom CA (or real CA), I dont think it will fully work unless you provide the CA cert/key which is not always the case if you are using a real CA (you can only provide a certificate), reference: https://github.com/k3s-io/k3s/blob/master/pkg/daemons/control/deps/deps.go#L553-L556

from rke2-docs.

@galal-hussein regarding this point:

as for using a custom CA (or real CA), I dont think it will fully work unless you provide the CA cert/key which is not always the case if you are using a real CA (you can only provide a certificate)

How does this compare to RKE1? From this bit of documentation:
https://rancher.com/docs/rke/latest/en/installation/certs/#certificates
I take it that RKE1 will similarly require CA certs and keys.

from rke2-docs.

@galal-hussein regarding this point:

as for using a custom CA (or real CA), I dont think it will fully work unless you provide the CA cert/key which is not always the case if you are using a real CA (you can only provide a certificate)

How does this compare to RKE1? From this bit of documentation:
https://rancher.com/docs/rke/latest/en/installation/certs/#certificates
I take it that RKE1 will similarly require CA certs and keys.

no it just requires the CA which you can get however the key doesnt exist because it belongs to the CA, so rke2 similarly should only check for the ca certificate, however the code right now check for boths

from rke2-docs.

There is a discussion on this topic at https://stackoverflow.com/questions/67995687/which-of-the-elliptic-curves-are-supported-for-the-kubernetes-certificates

from rke2-docs.

@galal-hussein @brandond Do we plan on doing anything with this for this release or move it to backlog?

from rke2-docs.

This would be extremely helpful. There is currently a user asking about this for k3s

from rke2-docs.

Documenting custom CA certificate generation is an easy enough task, assuming we can hold on to the requirement that the certs must be generated before the cluster starts.

Supporting rotation or renewal of the cluster CAs may be slightly more difficult, as the node join workflow currently checks the hash of the certificate, and any changes (such as extending its expiration) will invalidate that and cause the node to fail to validate the cluster cert next time it restarts, if that node is using the full K10 format token. So we'll probably need to fix that first.

from rke2-docs.

We should also make sure we cover using intermediate CAs, as described at rancher/rke2#3650.

from rke2-docs.

@brandond @cwayne18 @galal-hussein Seeing if there is an update on this issue. Currently supporting a customer that is requiring for RKE2 deployment

from rke2-docs.

Addressed by #101

from rke2-docs.