tool for updating TLS assets in existing kube-aws clusters

[joeatwork]

I recently hit the 90 day mark on a development cluster built with kube-aws. This was a non production cluster, so I used the default crypto assets. They worked great! The certificates are minted with a fairly short, 90 day lifetime, which makes a lot of sense, but once they expired, it'd be nice to be able to issue new certs. My dream feature would be to type something like kube-aws renew in the presence of my existing cluster.yaml and credentials.

[pieterlange]

I believe the 90 days limit was intentional (kube-aws is still very much in development and you should probably make a habit out of re-rolling your cluster).

#340 luckily already has this listed as a work item, so this'll get fixed eventually. With some work being done in kubernetes upstream (https://github.com/kubernetes/kubernetes/pull/25562) this will probably get easier.

[colhom]

@pieterlange this is correct- we don't want to prescribe an inadequate PKI-like solution, so we'd rather leave certificate rotation entirely open ended until we have a reasonable solution.

If you're interested in this problem, there is some upstream work in this direction here

[iameli]

Does #608 address this, via kube-aws render credentials and kube-aws up --update?

[colhom]

@iameli yes it does! (though beware we are going to change the semantics of those cli commands!)

You'll be able to choose from following options:

• generate all TLS assets
• generate certs/keys from existing/provided CA
• use existing/provided TLS assets

[whereisaaron]

It is great that kube-aws will be able to generate sustainable certs. In the interim I had rolled a rough script to generate certs compatible with kube-aws that won't lock us out in a couple months :-)

https://github.com/whereisaaron/coreos-kubernetes-generate-certs

But being able to update certs across a running cluster is the key missing piece for me.