-
Notifications
You must be signed in to change notification settings - Fork 2.4k
K3s Cert Rotation
Justin J. Janes edited this page Jan 8, 2022
·
3 revisions
Certificate rotation
$ k3s certificate -h
NAME:
k3s certificate - Certificates management
USAGE:
k3s certificate command [command options] [arguments...]
COMMANDS:
rotate Certificate rotation
OPTIONS:
--debug (logging) Turn on debug logs [$K3S_DEBUG]
--config FILE, -c FILE (config) Load configuration from FILE (default: "/etc/rancher/k3s/config.yaml") [$K3S_CONFIG_FILE]
--log value, -l value (logging) Log to file
--alsologtostderr (logging) Log to standard error as well as file (if set)
--data-dir value, -d value (data) Folder to hold state default /var/lib/rancher/k3s or ${HOME}/.rancher/k3s if not root
--service value, -s value List of services to rotate certificates for. Options include (admin, api-server, controller-manager, scheduler, k3s-controller, k3s-server, cloud-controller, etcd, auth-proxy, kubelet, kube-proxy)
--help, -h show help
(P1) Areas | Expected Result | Docs Needed? | Test Cases | Pass or Fail or Warn | Notes / GH Issue | |
---|---|---|---|---|---|---|
1 | All certs to be rotated before they expire automatically on startup | Any certificate that have less or equal 90 days left for its expiration should be successfully rotated along with its key | Yes https://github.com/k3s-io/k3s/issues/4271 |
PREREQUISTIES: You need a custom binary from a developer that generates the certs with less than 90 days expiration date (15 minutes is a good time-frame for testing).
NOTE: While testing you may see CA certs - these are currently expected to always be 10 years.
Test on server:
Test on agent:
|
|
|
2 | Recover from expired certs | Make sure that clusters with expired certs will be recovered after restarting k3s server |
|
PREREQUISTIES: You need a custom binary from a developer that generates the certs with less than 90 days expiration date (10 minutes is a good time-frame).
NOTE: While testing you may see CA certs - these are currently expected to always be 10 years.
Test on server and agent:
|
|
|
3 | Rotate ALL certs with CLI | expect that existing certs have been backed up adjacent to existing tls certs directory. New certs directory is created with all relevant files.
k3s operates normally without expired certificates in the cluster |
https://github.com/k3s-io/k3s/issues/4271 Yes - needs documentation |
Test on server:
|
pass on v1.22.5-rc1+k3s1 |
|
4 | rotate specific certs with CLI - k3s certificate rotate --service <VALUE> admin api-server controller-manager scheduler k3s-controller k3s-server cloud-controller etcd auth-proxy kubelet kube-proxy | expect that existing targeted cert is backed up adjacent to existing tls directory. New cert is located in the correct location. | Yes - needs documentation |
Test on server:
|
pass on v1.22.5-rc1+k3s1 |
|
5 | rotate certs with a live workload through the CLI - k3s certificate rotate |
|
|
Deploy workload to a cluster 3 servers 1 agent node
Test on server:
|
pass on
|
|
6 | rotate specific cert with a live workload on the cluster |
|
|
PREREQUISTIES: Deploy workload to a cluster 3 servers 1 agent node
Test on server:
|
pass on |
|
|
Functionality to be added
|
|
Additional cases to be aware of malformed individual service certificate rotation still triggered the certs to rotate. k3s certificate rotate --service --help |
|
|
|