Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.25] Backport user-provided CA cert and kubeadm bootstrap token support #6929

Merged
merged 15 commits into from
Feb 10, 2023
Merged

[release-1.25] Backport user-provided CA cert and kubeadm bootstrap token support #6929

merged 15 commits into from
Feb 10, 2023

Conversation

brandond
Copy link
Member

Proposed Changes

Backport features:

Types of Changes

new feature

Verification

See linked issue and original PRs

Testing

Linked Issues

User-Facing Change

K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at [contrib/util/certs.sh](https://github.com/k3s-io/k3s/blob/master/contrib/util/certs.sh).
K3s now supports `kubeadm` style join tokens. `k3s token create` now creates join token secrets, optionally with a limited TTL.
K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster.

Further Comments

brandond added 14 commits February 9, 2023 23:37
@brandond
Add example certificate generation script
64aa464 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 1ec242d)
@brandond
Ensure cluster-signing CA files contain only a single CA cert
7dc0d1c 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 0919ec6)
@brandond
Fix CA cert hash for root certs
2e6924b 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 58d4032)
@brandond
Add utility functions for getting kubernetes client
3ce9388 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 3c32433)
@brandond
Add certificate rotate-ca to write updated CA certs to datastore
4bc2e62 
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 215fb15)
@brandond
Add ADR
c118db4 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit f13768c)
@brandond
Clarify ADR based on design review feedback
24c8bad 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 9b6b729)
@brandond
Add basic test for custom CA certs
6137d0f 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 8a6404f)
@brandond
Add e2e tests for CA cert rotation
783d430 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit be7f751)
@brandond
Add support for k3s token command
70387ac 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 373df1c)
@brandond
Add support for kubeadm token and client certificate auth
2ff7dce 
Allow bootstrapping with kubeadm bootstrap token strings or existing
Kubelet certs. This allows agents to join the cluster using kubeadm
bootstrap tokens, as created with the `k3s token create` command.

When the token expires or is deleted, agents can successfully restart by
authenticating with their kubelet certificate via node authentication.
If the token is gone and the node is deleted from the cluster, node auth
will fail and they will be prevented from rejoining the cluster until
provided with a valid token.

Servers still must be bootstrapped with the static cluster token, as
they will need to know it to decrypt the bootstrap data.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 992e649)
@brandond
Ensure that node exists when using node auth
e2382b2 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 87f9c4a)
@brandond
Add ADR
7157bae 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit c900089)
@brandond
Add CI test
6eda0a4 
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit b43dd77)
@brandond brandond requested a review from a team as a code owner February 10, 2023 00:06
@brandond brandond changed the title Custom ca boostrap token release 1.25 [release-1.25] Backport user-provided CA cert and kubeadm bootstrap token support Feb 10, 2023
@brandond brandond merged commit a252185 into k3s-io:release-1.25 Feb 10, 2023
@brandond brandond deleted the custom_ca_boostrap_token_release-1.25 branch June 6, 2024 21:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@rbrtbnfgl rbrtbnfgl rbrtbnfgl approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@brandond @briandowns @rbrtbnfgl