Support certificate chains when using custom certs #1834
Comments
|
@byo do I understand it correctly that you want to just paste intermediate CA to rke and let rke to generate component certs for you same as kubeadm does https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode? |
|
@ElMarioFredo My use-case is when rke does not generate certificates nor keys at all, those are created outside and passed through |
|
I tried to provide RKE custom certs a kube-ca.pem with the chain CA (the root CA and intermediate CA) in the same file, wich is valid for openssl, but when rke deploy the certificates on nodes, the kube-ca.pem keep only one cert, so all the chain is invalid. |
|
@ElMarioFredo Can we apply the "KISS" principle? |
|
Thanks @byo and @stoff1973 for reply, as I mentioned I like how kubeadm is handling certificate generation for you from custom CA. I understand that it's simpler to apply KISS here, but this leads to clusters running on self signed certificates which is IMHO security bad practice when company have its own CA. |
|
For me, there is no relationship between providing a complete chain (CA + intermediate) and using a self-signed certificate. |
RKE version:
1.0.0
When specifying custom certificates, RKE assumes that the specified CA directly signs final certificates for kubernetes components. There's no way to specify custom certificates using intermediate CA:
Such intermediate-CA setup would be beneficial in case of intermediate CA rotation as is in our case - it's only needed to supply the long-lived, offline root CA to clients to trust the rotated intermediate certificates.
gz#12775
The text was updated successfully, but these errors were encountered: