Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

graceful CA rotation #8440

Closed
Tracked by #8010
smira opened this issue Mar 14, 2024 · 0 comments · Fixed by #8486
Closed
Tracked by #8010

graceful CA rotation #8440

smira opened this issue Mar 14, 2024 · 0 comments · Fixed by #8486
Assignees
@smira
Milestone
v1.7

Comments

@smira
Copy link
Member

smira commented Mar 14, 2024
edited
Loading

Allow Talos/Kubernetes CAs to be rotated gracefully.

Idea:

  • add a set of "accepted" CAs in addition to "issuing" CA
  • roll out new CA as accepted to all nodes
  • switch: make old CA accepted, new CA as issuing
  • drop old CA as accepted
  • update secrets.yaml, new talosconfig, kubeconfig, etc.
@smira smira mentioned this issue Mar 14, 2024
Closed
@smira smira self-assigned this Mar 14, 2024
@smira smira added this to the v1.7 milestone Mar 14, 2024
smira added a commit to smira/crypto that referenced this issue Mar 14, 2024
@smira
feat: add PEMEncodedCertificate wrapper
2f4f911 
Now we have cert & key, key and cert only wrappers.

For siderolabs/talos#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
This was referenced Mar 14, 2024
Merged
Merged
smira added a commit to smira/talos that referenced this issue Mar 22, 2024
@smira
feat: support rotating Kubernetes CA
4b85af2 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@smira smira mentioned this issue Mar 22, 2024
Merged
smira added a commit to smira/talos that referenced this issue Mar 22, 2024
@smira
feat: support rotating Kubernetes CA
6904b91 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this issue Mar 23, 2024
@smira
feat: support rotating Kubernetes CA
3869bff 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this issue Mar 23, 2024
@smira
feat: support rotating Kubernetes CA
723a7bb 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this issue Apr 1, 2024
@smira
feat: support rotating Kubernetes CA
3216a94 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this issue Apr 1, 2024
@smira
feat: support rotating Kubernetes CA
603423d 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira added a commit to smira/talos that referenced this issue Apr 1, 2024
@smira
feat: support rotating Kubernetes CA
d0b2d67 
Fixes siderolabs#8440

Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
@rgl rgl mentioned this issue Apr 1, 2024
Closed
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@smira smira

Labels
None yet
Projects
None yet
Milestone
v1.7
Development

Successfully merging a pull request may close this issue.

feat: support rotating Kubernetes CA smira/talos
1 participant
@smira