tls: add scripts and instructions for rotating certificates

[ericchiang]

This is a revamp of our TLS rotation docs. I've been testing them on more recent clusters (1.8.x) on AWS.

Etcd rotation instructions will be added in a bit, but I'd like early feedback.

@kbrwn for testing @robszumski for general review @zbwright for docs

[ericchiang]

Some open questions:

• Where should these scripts live?
• Does this work on other clouds?

[ericchiang]

It was pointed out that kube-proxy reuses the kubelet's certs https://github.com/coreos/tectonic-installer/blob/1.8.9-tectonic.1/modules/bootkube/resources/manifests/kube-proxy.yaml#L31

Need to roll that daemonset as well.

[ericchiang]

This document is almost ready to merge, but has a bug in it that keeps bricking my clusters...

I cannot stress this warning at the beginning more

__WARNING:__ Rotating certificates by hand can break component connectivity and leave the cluster in an unrecoverable state. Before performing any of these instructions on a live cluster backup your cluster state and migrate critical workloads to another cluster.

[ericchiang]

This is done. @zbwright would you take a look one last time?

[justaugustus]

@ericchiang Do you have any context on why the clusters are getting bricked? A warning like that seems super troubling.

[ericchiang]

If you mess up the etcd CA rotation, then it's really hard to change anything on the self hosted control plane. I can expand on that in the doc.

On Fri, Apr 6, 2018, 3:21 PM Stephen Augustus notifications@github.com wrote:

@ericchiang https://github.com/ericchiang Do you have any context on why the clusters are getting bricked? A warning like that seems super troubling.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/coreos/tectonic-docs/pull/155#issuecomment-379400117, or mute the thread https://github.com/notifications/unsubscribe-auth/ACO_XWQxDZ4jWE5cRs58CXBnFf0g3m_sks5tl-pJgaJpZM4TAyzg .

[ericchiang]

To be clear that bug I mentioned earlier was resolved, but still I'd tread very carefully here.

[justaugustus]

@ericchiang cool, cool. Thanks for the clarification!

[ericchiang]

bumping this thread. there was some interest in more testing beside's me just doing it. did that ever get planned/done?

[justaugustus]

@ericchiang I was hope to get some field validation on this, but as it's only Dan (and me, in a diminished capacity), I don't think we can commit to any testing in the near-term, so don't block this on my account.

@kbrwn mentioned he was working with someone, but would need to check-in again to try out the etcd rotation.

[ericchiang]

Docs updated.

[ericchiang]

Okay it's been a bit. I'm merging this tomorrow afternoon unless someone says otherwise.