Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for user-provided CA certificates #6615

Merged
merged 9 commits into from
Feb 6, 2023
Merged

Add support for user-provided CA certificates #6615

merged 9 commits into from
Feb 6, 2023

Conversation

brandond
Copy link
Member

@brandond brandond commented Dec 7, 2022

Proposed Changes

  • Add a sample script for generating root, intermediate, and cluster CA certificates
  • Fix kube-controller-manager cluster-signing certificates when root CAs are not self-signed.

Types of Changes

enhancement

Verification

  • Use script to generate CA certs before startup, note that cluster works properly and uses generated certs.

Testing

Linked Issues

User-Facing Change

K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at [contrib/util/certs.sh](https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh).

Further Comments

@brandond brandond force-pushed the custom-cert-gen branch 2 times, most recently from a11c58d to 00a096a Compare December 7, 2022 01:11
@brandond brandond mentioned this pull request Dec 8, 2022
Closed
@mkoperator mkoperator mentioned this pull request Dec 12, 2022
Closed
@brandond brandond force-pushed the custom-cert-gen branch 6 times, most recently from 4e45196 to c8caa4b Compare December 19, 2022 22:54
@brandond brandond marked this pull request as ready for review December 19, 2022 23:04
@brandond brandond requested a review from a team as a code owner December 19, 2022 23:04
@brandond brandond changed the title [WIP] Add support for user-provided CA certificates Add support for user-provided CA certificates Dec 19, 2022
@brandond brandond mentioned this pull request Dec 20, 2022
Merged
@brandond brandond force-pushed the custom-cert-gen branch 7 times, most recently from ea40691 to 01e7d39 Compare January 14, 2023 21:35
@brandond
Add example certificate generation script
72c551b 
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Ensure cluster-signing CA files contain only a single CA cert
70645f4 
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Fix CA cert hash for root certs
889fe2c 
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Add utility functions for getting kubernetes client
7748d0c 
Signed-off-by: Brad Davidson <[email protected]>
@brandond
Add certificate rotate-ca to write updated CA certs to datastore
f99df25 
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.

Signed-off-by: Brad Davidson <[email protected]>
@brandond
Add ADR
2f9fab8 
Signed-off-by: Brad Davidson <[email protected]>
@brandond brandond force-pushed the custom-cert-gen branch 3 times, most recently from 3b54bb5 to 9d31280 Compare January 31, 2023 01:33
@huapox
Copy link

huapox commented Feb 3, 2023

+1

@brandond brandond merged commit be7f751 into k3s-io:master Feb 6, 2023
This was referenced Feb 6, 2023
Closed
Closed
Closed
Merged
Merged
Merged
Closed
Closed
Closed
Closed
@cguertin14 cguertin14 mentioned this pull request Mar 16, 2023
Merged
@brandond brandond mentioned this pull request Mar 25, 2024
Closed
@brandond brandond deleted the custom-cert-gen branch June 6, 2024 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dereknola dereknola dereknola approved these changes

@briandowns briandowns briandowns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@brandond @huapox @briandowns @dereknola