Certificate issuance cleanup and hardening

[johngmyers]

I'd like to clean up and consolidate our certificate issuance code. It would be nice to harden things in the process. I'd like some input on the requirements.

Currently, most certificates and private keys are created out of Keystore.CreateKeypair(), called from upup/pkg/fi/fitasks/Keypair. All of these pairs are per-cluster, stored in the keystore in the VFS. They're also all issued with 10 year lifetimes.

The exceptions are created at nodeup time and are one per node:

• The master kubelet client certificate is created by KubeletBuilder.buildMsterKubeletKubeconfig(). It also has a 10 year lifetime.

• The kube-apiserver-healthcheck client cert is created by KubeAPIServerBuilder.buildClientKeypair(). It also has a 10 year lifetime.

• The kube-apiserver client cert for authenticating to etcd is created by EtcdManagerTLSBuilder.buildKubeAPIServerKeypair(). It has a 1 year lifetime.

• The Cilium client cert for agents authenticating to the cilium etcd is created by CiliumBuilder.buildCiliumEtcdSecrets. It has a 1 year lifetime.

My first question is about the discrepancy between 1 year and 10 year lifetimes. Is there a requirement to support masters or node instances with lifetimes greater than one year? If not, then I'd like to reduce the lifetimes of all non-CA certificates to 1 year, to reduce the number of places that 10-year keys are left around. If so, then those existing 1 year lifetimes are a problem.

Perhaps we'd want a field in the cluster spec for the lifetime of non-CA certificates, so sites that update their nodes every 30 days or so could drop the lifetime down to something like the 60-day range?

I think for cleanup I'd create a nodeup task for creating a keypair and transition all the non-CA keypairs (or at least all master non-CA keypairs) from fitasks.Keypair to it. An alternative would be to move all those that happen after apiserver and kops-controller are up to using a certificatesigningrequest API.

@justinsb what are your thoughts?

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[johngmyers]

Progress:

• The certificates that are specific to the master, excluding ones for the legacy etcd manager and node-authorizer, have been migrated to being issued by nodeup.
• I do not plan to migrate the certificates for the legacy etcd manager or node-authorizer. I expect those features to deprecate out.
• Migrating the the "kubecfg" admin cert to be issued at export time is Reduce the lifetime of exported kubecfg credentials #9593.
• Migrating the kubelet certificate is Bootstrap worker nodes using kops-controller #9653.
• The remaining certificates used by worker nodes will follow Bootstrap worker nodes using kops-controller #9653.

/remove-lifecycle stale

[johngmyers]

This work is complete.