k0s icon indicating copy to clipboard operation
k0s copied to clipboard

Published 20 hours ago verified publisher icon k0sproject

store CA in database for stateless masters

Open matti opened this issue 4 years ago • 9 comments

Would be awesome to run k0s master(s) as fully stateless - the cluster CA needs to be stored in database like kine does, something like

spec:
  storage:
    type: ca
    kine:
      dataSource: mysql://root:kine@my-managed-database/ca
``

matti avatar Dec 16 '20 19:12 matti

OR better (?) accept a pre made CA from an ENV so that is is the same for every pod running the master regardless of the lifecycle

matti avatar Dec 16 '20 19:12 matti

This does sound like a nice feature in general.

accept a pre made CA from an ENV

We do not have that sort of env currently, but you can already pre-dump the ca.{key,crt} files in /var/lib/k0s/pki and k0s will happily use them.

Note: In case for HA controllers, you must also have pre-defined sa.{key,pub} so that all controllers use same key for SA token creation/validation

jnummelin avatar Dec 17 '20 09:12 jnummelin

oh cool, can you explain this a bit more:

Note: In case for HA controllers, you must also have pre-defined sa.{key,pub} so that all controllers use same key for SA token creation/validation

matti avatar Dec 17 '20 11:12 matti

So the controllers use the sa.key to sign the service account tokens. If there's multiple controller instances for HA we need to be sure each of them are using same keys. :)

jnummelin avatar Dec 18 '20 14:12 jnummelin

This does sound like a nice feature in general.

accept a pre made CA from an ENV

We do not have that sort of env currently, but you can already pre-dump the ca.{key,crt} files in /var/lib/k0s/pki and k0s will happily use them.

Note: In case for HA controllers, you must also have pre-defined sa.{key,pub} so that all controllers use same key for SA token creation/validation

We can easily expose this option, by accepting a path from the user in the k0s.yaml file, and only generating a self-signed cert if there is none.

trawler avatar Dec 18 '20 15:12 trawler

The issue is marked as stale since no activity has been recorded in 30 days

jnummelin avatar Dec 22 '21 23:12 jnummelin

häh

matti avatar Dec 30 '21 14:12 matti

with the io/fs package landed in 1.16 it should not be that hard. I think we already use it in the cert manager, so we can plug-in some io/fs implementation for example for s3 and it SHOULD work out of the box.

mikhail-sakhnov avatar Dec 31 '21 10:12 mikhail-sakhnov

The issue is marked as stale since no activity has been recorded in 30 days

github-actions[bot] avatar Jan 30 '22 23:01 github-actions[bot]