3.6 KiB
Separate CA for k8s and etcd
Storyboard: https://storyboard.openstack.org/#!/story/2008833
This proposal will separate CA for k8s and etcd
Problem description
Currently, we are reusing kubernetes-ca for etcd but not using a separate CA. Making one single root CA by copying the root certificate/key would blur the boundary of certificates for apiserver and etcd. It may cause unforeseen complexities for future features. kubernetes-ca and etcd-ca have different purposes and usage. Sharing cert between kubernetes-ca and etcd-ca will dramatically increase the complexity of updating etcd-ca cert. We'd better refer to the best practice for k8s and etcd certs in1
Use Cases
- Admin wants to use a separate external root CA for etcd and k8s.
- Admin wants to maintain the root CA for etcd and k8s separately
Proposed change
Fresh Deployment
- Generate self-signed CA certificate for etcd before apply bootstrap
manifest
- Generate a unique CA for etcd and related certs.
-
Copy apiserver-etcd-client.crt/key to /etc/kubernetes/pki/ Copy etcd ca and etcd-server crt/key to /etc/etcd/ Do not modify the Kubernetes-ca in /etc/kubernetes/pki/ Change etcd-ca and certs paths, that will be used by api-server in playbookconfig/src/playbooks/roles/common/files/kubeadm.yaml.erb
Changes for upgrade process
Simplex
For simplex upgrade, it will use restore procedure during installing the new starlingx software. So we need to generate etcd-ca separately before apply bootstrap manifest for etcd during restore procedure, that is similar like we do for fresh deployment.
Duplex/Multi-node During upgrade-activate stage, we will do below
- Create /etc/kubernetes/pki/etcd/ subfolder, and generate etcd-ca and related certs
- Copy etcd-ca and related certs to /etc/kubernetes/pki/etcd/ and /etc/etcd/
- Restart etcd, and update the config of api-server before restart it.
Alternatives
None
Data model impact
None
REST API impact
None
Security impact
It can reduce the security risk after separate k8s CA and etcd CA
Other end user impact
none
Performance Impact
none
Other deployer impact
Admin user is able to use separate external root ca cert for k8s and etcd
Developer impact
None
Upgrade impact
It has already been described in section Proposed change
Implementation
Assignee(s)
Primary assignee:
Repos Impacted
ansible-playbooks stx-puppet config
Work Items
The work items have already been described in section Proposed change
Dependencies
None
Testing
- Deployment test on both simplex and duplex.
- Switch active controller.
- Lock/unlock of a simplex controller.
- Backup/Restore test on simplex and duplex.
- Spontaneous reboot of a simplex controller.
- Re-installing a controller host on a duplex setup and then swacting to it.
- Upgrade test on both simplex and duplex.
Documentation Impact
References
History
Release Name | Description |
---|---|
stx.6.0 | Separate CA for k8s and etcd |