search

cert-manager / trust-manager

trust-manager is an operator for distributing trust bundles across a Kubernetes cluster.
https://cert-manager.io/docs/projects/trust-manager/
Apache License 2.0
256 stars 69 forks source link

Automatic CA rotation support #135

Open smoshiur1237 opened 1 year ago

smoshiur1237 commented 1 year ago

We are using Cluster API(CAPI) for LCM of kubernetes. CAPI has the ability to deploy many target clusters from a management cluster. So we are creating a management cluster which can deploy multiple target clusters. Here, I would like to rotate a k8s cluster CA which involves many different steps and restarts (rolling upgrade) of pods and updates on other resources (config maps, secrets, service accounts) which is manual: k8s CA rotation

I am looking for available options to do automatic CA rotation at scale as manual operation on each cluster will be very costly and time consuming. So, it would be interesting to know and understand how the community is addressing this issue. Are there any plan to support this feature or how would you tackle this kind of situation? I would like to get your opinions and suggestions.

There are also use cases in which the CA of the target clusters might be different from that of the management cluster.

  1. Deploy of management cluster and multiple target clusters with the same CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic.
  2. Deploy of management cluster and many target clusters with different CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic.

/kind feature

jetstack-bot commented 1 year ago

@smoshiur1237: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/cert-manager/trust-manager/issues/135): >We are using Cluster API(CAPI) for LCM of kubernetes. CAPI has the ability to deploy many target clusters from a management cluster. So we are creating a management cluster which can deploy multiple target clusters. Here, I would like to rotate a k8s cluster CA which involves many different steps and restarts (rolling upgrade) of pods and updates on other resources (config maps, secrets, service accounts) which is manual: [k8s CA rotation](https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/) > >I am looking for available options to do automatic CA rotation at scale as manual operation on each cluster will be very costly and time consuming. So, it would be interesting to know and understand how the community is addressing this issue. Are there any plan to support this feature or how would you tackle this kind of situation? I would like to get your opinions and suggestions. > >There are also use cases in which the CA of the target clusters might be different from that of the management cluster. > >1. Deploy of management cluster and multiple target clusters with the same CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic. >2. Deploy of management cluster and many target clusters with different CA. Perform the cluster CA rotation on the target clusters and the management clusters without impact on traffic. > >/kind feature Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
cert-manager-bot commented 3 days ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. /lifecycle stale