Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Improve support for rotating the default self-signed certs #7032

Merged
merged 2 commits into from
Mar 13, 2023
Merged

Improve support for rotating the default self-signed certs #7032

merged 2 commits into from
Mar 13, 2023

Conversation

brandond
Copy link
Member

@brandond brandond commented Mar 7, 2023
edited
Loading

Proposed Changes

While writing docs for self-signed cert CA rotation, I realized it really needs its own script. There's also a tweak to the client and server certs and rotate-ca validation checks that we can make to avoid having to restart all the pods after rotating the default self-signed CA certs.

  • Update/rename certs.sh to add support for openssl v1.0
  • Add default cert rotation script
  • Add support for rotating the default self-signed certs

Types of Changes

enhancement

Verification

See docs

Testing

Linked Issues

User-Facing Change

The `k3s certificate rotate-ca` checks now support rotating self-signed certificates without the `--force` option.

Further Comments

@brandond brandond requested a review from a team as a code owner March 7, 2023 23:09
@brandond brandond force-pushed the more_cert_scripts branch 4 times, most recently from 092edb6 to a8757e1 Compare March 8, 2023 01:10
@brandond brandond changed the title Update CA certificate management scripts Improve support for rotating the default self-signed certs Mar 8, 2023
@brandond brandond force-pushed the more_cert_scripts branch 3 times, most recently from 0119333 to 74804b6 Compare March 8, 2023 08:53
@brandond brandond mentioned this pull request Mar 9, 2023
Merged
@brandond brandond force-pushed the more_cert_scripts branch from 74804b6 to 432b40a Compare March 11, 2023 07:04
brandond added 2 commits March 11, 2023 07:14
@brandond
Update/rename certs.sh; add default cert rotation script
9530e6c 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add support for cross-signing new certs during ca rotation
82e2b80 
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond brandond force-pushed the more_cert_scripts branch from 432b40a to 82e2b80 Compare March 11, 2023 07:14
@brandond brandond merged commit 977a855 into k3s-io:master Mar 13, 2023
@cguertin14 cguertin14 mentioned this pull request Mar 29, 2023
Merged
@brandond brandond deleted the more_cert_scripts branch June 6, 2024 21:18
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@dereknola dereknola dereknola approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brandond @briandowns @dereknola