trust-manager icon indicating copy to clipboard operation
trust-manager copied to clipboard
verified publisher icon cert-manager

Automatic CA rotation support

Open smoshiur1237 opened this issue 2 years ago • 1 comments

We are using Cluster API(CAPI) for LCM of kubernetes. CAPI has the ability to deploy many target clusters from a management cluster. So we are creating a management cluster which can deploy multiple target clusters. Here, I would like to rotate a k8s cluster CA which involves many different steps and restarts (rolling upgrade) of pods and updates on other resources (config maps, secrets, service accounts) which is manual: k8s CA rotation

I am looking for available options to do automatic CA rotation at scale as manual operation on each cluster will be very costly and time consuming. So, it would be interesting to know and understand how the community is addressing this issue. Are there any plan to support this feature or how would you tackle this kind of situation? I would like to get your opinions and suggestions.

There are also use cases in which the CA of the target clusters might be different from that of the management cluster.

  1. Deploy of management cluster and multiple target clusters with the same CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic.
  2. Deploy of management cluster and many target clusters with different CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic.

/kind feature

smoshiur1237 avatar May 17 '23 06:05 smoshiur1237

@smoshiur1237: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to this:

We are using Cluster API(CAPI) for LCM of kubernetes. CAPI has the ability to deploy many target clusters from a management cluster. So we are creating a management cluster which can deploy multiple target clusters. Here, I would like to rotate a k8s cluster CA which involves many different steps and restarts (rolling upgrade) of pods and updates on other resources (config maps, secrets, service accounts) which is manual: k8s CA rotation

I am looking for available options to do automatic CA rotation at scale as manual operation on each cluster will be very costly and time consuming. So, it would be interesting to know and understand how the community is addressing this issue. Are there any plan to support this feature or how would you tackle this kind of situation? I would like to get your opinions and suggestions.

There are also use cases in which the CA of the target clusters might be different from that of the management cluster.

  1. Deploy of management cluster and multiple target clusters with the same CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic.
  2. Deploy of management cluster and many target clusters with different CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic.

/kind feature

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot avatar May 17 '23 06:05 jetstack-bot