kubewarden-controller
kubewarden-controller copied to clipboard
kubewarden
Rotate CA
https://github.com/kubewarden/rfc/blob/main/rfc/0018-certificate-handling.md#internal-ca-changes
The internal CA managed by Kubewarden might be recreated (for example, to avoid its expiration). This is the most disruptive event that can happen, especially once some policies are deployed.
Once the new CA is generated, the following actions have to be performed:
- Generate a new CA bundle that contains the previous internal CA and the new one
- For each webhook configuration managed by Kubewarden (meaning all the policies deployed, plus the kubewarden-controller):
- Update the
clientConfig.caBundle: ensure it contains the CA bundle created during the previous step
- Update the
- For each
PolicyServerdefined:- Generate a new certificate, sign it with the new CA
- Force a rollout of the PolicyServer Deployment
- Kubewarden Controller:
- Generate a new certificate, sign it with the new CA
- Restart the controller to ensure its HTTPS endpoint uses the new certificate
Once all the rollout of the new Policy Server instances is done, and the kubewarden controller is using the new certificate:
- For each webhook configuration managed by Kubewarden (meaning all the policies deployed, plus the kubewarden-controller):
- Update the
clientConfig.caBundle: ensure it contains only the certitificate of the new CA
- Update the
By respecing these steps we can avoid communication failures between the Kubernetes API server and the webhooks.
https://github.com/kubewarden/rfc/pull/24#discussion_r1333308084
Open Questions
We need to spend time to make a proposal that covers in detail all the steps that have to be performed to rotate the root CA.
