Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cert rotation command #4495

Merged
merged 7 commits into from
Dec 2, 2021
Merged

Add cert rotation command #4495

merged 7 commits into from
Dec 2, 2021

Conversation

galal-hussein
Copy link
Contributor

@galal-hussein galal-hussein commented Nov 15, 2021
edited
Loading

Signed-off-by: galal-hussein [email protected]

Proposed Changes

  • Adding cert command to k3s plus adding subcommand rotate
  • Upgrading dynamic listener to add support for cert rotate

Types of Changes

New Feature

Verification

  • start k3s server
  • stop k3s
  • run cert rotate k3s cert rotate

This command will back up tls certs for server and agent excepts for CA certs and service key, and then remove these files allowing k3s on the next restart to regenerate the files.

  • restart k3s, and make sure that certificates are rotated successfully

Linked Issues

User-Facing Change

A new command is added to k3s cert which supposed to contain subcommands for certificate management, this PR include the rotate subcommand which will rotate the TLS certs for server or agent.

@galal-hussein galal-hussein marked this pull request as ready for review November 15, 2021 22:19
@galal-hussein galal-hussein requested a review from a team as a code owner November 15, 2021 22:19
briandowns
briandowns reviewed Nov 15, 2021
View reviewed changes
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
briandowns
briandowns reviewed Nov 15, 2021
View reviewed changes
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
briandowns
briandowns reviewed Nov 15, 2021
View reviewed changes
pkg/cli/cert/cert.go Outdated

for _, cert := range certList {
if err := os.Remove(cert); err == nil {
logrus.Infof("Certificate %s is deleted", cert)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we could replace "deleted" with "processed" or something lighter.

Oats87
Oats87 requested changes Nov 15, 2021
View reviewed changes
Copy link
Member

@Oats87 Oats87 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple of nits; are we doing enough safe-guarding to prevent a user from accidentally rotating certs on a K3s cluster while K3s is still running? What happens if this command is run on a live cluster?

pkg/cli/cmds/certs.go Outdated Show resolved Hide resolved
cmd/cert/main.go Outdated Show resolved Hide resolved
pkg/cluster/https.go
const regenerateDynamicListenerFile = "dynamic-cert-regenerate"
dynamicListenerRegenFilePath := filepath.Join(c.config.DataDir, "tls", regenerateDynamicListenerFile)
if _, err := os.Stat(dynamicListenerRegenFilePath); err == nil {
os.Remove(dynamicListenerRegenFilePath)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if the certificate rotation fails and we are prematurely removing this file?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These files are backed up before this operation begins. We output the path to the backup directory.

briandowns
briandowns approved these changes Nov 17, 2021
View reviewed changes
Copy link
Contributor

@briandowns briandowns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@galal-hussein galal-hussein requested a review from Oats87 November 18, 2021 22:27
@galal-hussein
fix ci tests
ec12317 
Signed-off-by: galal-hussein <[email protected]>
brandond
brandond requested changes Nov 23, 2021
View reviewed changes
pkg/cli/cmds/certs.go Outdated Show resolved Hide resolved
pkg/cli/cert/cert.go Show resolved Hide resolved
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
@galal-hussein
Copy link
Contributor Author

@brandond Added fixes according to your comments, and to add some context around the UX, here what the user will see if certificate rotate command is issued:

bash-5.1# k3s --debug certificate rotate
DEBU[0000] Asset dir /var/lib/rancher/k3s/data/96b8e62e8b0dffcc6ed3579dcf03f2a936bfb41aed5c6784ae817483a78eec56 
DEBU[0000] Running /var/lib/rancher/k3s/data/96b8e62e8b0dffcc6ed3579dcf03f2a936bfb41aed5c6784ae817483a78eec56/bin/k3s-certificate [../k3s/dist/artifacts/k3s --debug certificate rotate] 
INFO[0000] Server detected, rotatig server certificates 
INFO[0000] Rotating certificates for admin service      
INFO[0000] Rotating certificates for etcd service       
INFO[0000] Rotating certificates for api-server service 
INFO[0000] Rotating certificates for controller-manager service 
INFO[0000] Rotating certificates for cloud-controller service 
INFO[0000] Rotating certificates for scheduler service  
INFO[0000] Rotating certificates for k3s-server service 
INFO[0000] Rotating dynamic listener certificate        
INFO[0000] Rotating certificates for k3s-controller service 
INFO[0000] Rotating certificates for auth-proxy service 
INFO[0000] Rotating certificates for kubelet service    
INFO[0000] Rotating certificates for kube-proxy service 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-admin.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-admin.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/etcd/client.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/etcd/client.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/etcd/server-client.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/etcd/server-client.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/etcd/peer-server-client.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-kube-apiserver.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-kube-apiserver.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/serving-kube-apiserver.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-controller.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-controller.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-k3s-cloud-controller.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-k3s-cloud-controller.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-scheduler.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-scheduler.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-k3s-controller.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-k3s-controller.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/client-k3s-controller.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/client-k3s-controller.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-auth-proxy.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-auth-proxy.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-kubelet.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/serving-kubelet.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/client-kubelet.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/client-kubelet.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/serving-kubelet.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/serving-kubelet.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-kube-proxy.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/server/tls/client-kube-proxy.key is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/client-kube-proxy.crt is deleted 
DEBU[0000] file /var/lib/rancher/k3s/agent/client-kube-proxy.key is deleted 
INFO[0000] Successfully backed up certificates for all services to path /var/lib/rancher/k3s/server/tls-1637786253, please restart k3s server or agent to rotate certificates

Without the debug mode the user will just see the services that will be rotated

brandond
brandond requested changes Nov 24, 2021
View reviewed changes
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
pkg/cli/cert/cert.go Outdated Show resolved Hide resolved
@galal-hussein
more fixes
71b6bdb 
Signed-off-by: galal-hussein <[email protected]>
@brandond
Copy link
Member

LGTM; are the test failures legit or a flake?

@galal-hussein
Copy link
Contributor Author

LGTM; are the test failures legit or a flake?

I think flakes, I will restart

@galal-hussein galal-hussein merged commit 77fd3e9 into k3s-io:master Dec 2, 2021
galal-hussein added a commit to galal-hussein/k3s that referenced this pull request Dec 2, 2021
@galal-hussein @briandowns
Add cert rotation command (k3s-io#4495)
e832c28 
* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit to galal-hussein/k3s that referenced this pull request Dec 2, 2021
@galal-hussein @briandowns
Add cert rotation command (k3s-io#4495)
ea8aa72 
* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit to galal-hussein/k3s that referenced this pull request Dec 2, 2021
@galal-hussein @briandowns
Add cert rotation command (k3s-io#4495)
d43f6d4 
* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit to galal-hussein/k3s that referenced this pull request Dec 2, 2021
@galal-hussein @briandowns
Add cert rotation command (k3s-io#4495)
8d1b2d1 
* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit that referenced this pull request Dec 6, 2021
@galal-hussein @briandowns
[Engine-1.21] Add cert rotation command (#4634)
5153c52 
* Add cert rotation command (#4495)

* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>

* Upgrade dynamic listener

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit that referenced this pull request Dec 6, 2021
@galal-hussein @briandowns
[Release-1.20] Add cert rotation command (#4633)
6d3c31a 
* Add cert rotation command (#4495)

* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>

* Upgrade dynamic listener

Signed-off-by: galal-hussein <[email protected]>

* go mod tidy

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit that referenced this pull request Dec 6, 2021
@galal-hussein @briandowns
[Release-1.21] Add cert rotation command (#4632)
7b62900 
* Add cert rotation command (#4495)

* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>

* Upgrade dynamic listener

Signed-off-by: galal-hussein <[email protected]>

* go mod tidy

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
galal-hussein added a commit that referenced this pull request Dec 6, 2021
@galal-hussein @briandowns
Add cert rotation command (#4495) (#4635)
2dc4e2c 
* Add cert rotation command

Signed-off-by: galal-hussein <[email protected]>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <[email protected]>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <[email protected]>

* fixes to the cert rotation

Signed-off-by: galal-hussein <[email protected]>

* fix ci tests

Signed-off-by: galal-hussein <[email protected]>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <[email protected]>

* more fixes

Signed-off-by: galal-hussein <[email protected]>

Co-authored-by: Brian Downs <[email protected]>

Co-authored-by: Brian Downs <[email protected]>
@VestigeJ
Copy link

VestigeJ commented Dec 7, 2021
edited
Loading

Validated cert rotation using the steps outlined roughly above.

Verification
start k3s server
stop k3s
k3s cert rotate
This command will back up tls certs for the server and will locate adjacent to the existing tls directory "/var/lib/rancher/k3s/server/tls-" except for the following eight files that get duplicated.
  • client-ca.crt are identical
  • client-ca.key are identical
  • dynamic-cert.json are identical
  • request-header-ca.crt are identical
  • request-header-ca.key are identical
  • server-ca.crt are identical
  • server-ca.key are identical
  • service.key are identical
restart k3s, and make sure that certificates are rotated successfully

k3s version v1.20.13+k3s-6d3c31ad (6d3c31ad)
go version go1.15.15

k3s version v1.21.7+k3s-7b629008 (7b629008)
go version go1.16.10

k3s version v1.22.4+k3s-2dc4e2c3 (2dc4e2c3)
go version go1.16.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@brandond brandond brandond approved these changes

@Oats87 Oats87 Awaiting requested review from Oats87

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@galal-hussein @brandond @VestigeJ @briandowns @Oats87