-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificates rotation with Salt beacon & reactor #1887
Labels
complexity:medium
Something that requires one or few days to fix
kind:enhancement
New feature or request
Comments
alexandre-allard
added
kind:enhancement
New feature or request
moonshot
complexity:medium
Something that requires one or few days to fix
labels
Oct 10, 2019
Closed
This was referenced Nov 2, 2020
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This beacon will trigger an event with all master role related certificates already expired or that will expire in less than 15 days. This event will then be catched by a reactor which will handle the certificate renewals. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This beacon will trigger an event with all etcd role related certificates already expired or that will expire in less than 15 days. This event will then be catched by a reactor which will handle the certificate renewals. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This beacon will trigger an event with all ca role related certificates already expired or that will expire in less than 15 days. This event will then be catched by a reactor which will handle the certificate renewals. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This beacon will trigger an event with all bootstrap role related certificates already expired or that will expire in less than 15 days. This event will then be catched by a reactor which will handle the certificate renewals. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This orchestrate will be called by the reactor when it will receive an event for an expired certificates. It will run `sls` defined under `certs_renewal` pillar entry for each expired certificate. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
This reactor will be called when an expired certificate event will be received. It will then launch an orchestrate `orchestrate.certs.renew`, passing the list of expired certificates, to renew them. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 3, 2020
Set up the configuration in salt master cfg for the certificate expiration reactor. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This beacon will trigger an event with all bootstrap role related certificates already expired or that will expire in less than 15 days. This event will then be catched by a reactor which will handle the certificate renewals. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This orchestrate will be called by the reactor when it will receive an event for an expired certificates. It will run `sls` defined under `certs_renewal` pillar entry for each expired certificate. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This reactor will be called when an expired certificate event will be received. It will then launch an orchestrate `orchestrate.certs.renew`, passing the list of expired certificates, to renew them. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
Set up the configuration in salt master cfg for the certificate expiration reactor. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This beacon will trigger an event with all bootstrap role related certificates already expired or that will expire in less than 15 days. This event will then be catched by a reactor which will handle the certificate renewals. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Nov 4, 2020
This pillar entry will be consumed by the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the related `sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
This pillar entry will be consumed by the Salt formulas configuring etcd, the beacon and the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the sls under `regen_sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
This pillar entry will be consumed by Salt formulas configuring master nodes, beacon and reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the sls under `regen_sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
Replace hardcoded path for calico kubeconfig in the related formulas, using the new entries under certificates key in the `defaults.yaml` file. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
Replace hardcoded path for kubelet kubeconfig in the related formulas, using the new entries under certificates key in the `defaults.yaml` file. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
This orchestrate will be called by the reactor when it will receive an event for an expired certificates. It will run `sls` defined under `certs_renewal` pillar entry for each expired certificate. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
This reactor will be called when an expired certificate event will be received. It will then launch an orchestrate `orchestrate.certs.renew`, passing the list of expired certificates, to renew them. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
Set up the configuration in salt master cfg for the certificate expiration reactor. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
Set up the configuration in salt master cfg for the kubeconfig expiration reactor. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 11, 2020
This tests reconfigure the beacons and override the pillar configuration to force the renewal of all the certificates and kubeconfigs. The goal is to ensure that beacons work well and that nothing is broken in the cluster even when everything is triggered at the very same time. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This way this method can be called by anything to check if the kubeconfig file needs to be regenerated. The purpose is to be able to call it from a custom beacon to check whether embedded certificates are expired or not. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
It allows to dynamically pass the number of days left to consider the certificates in kubeconfig as expired. This change is needed for the custom beacon used to watch kubeconfig expiry as this parameter will be configurable like it is done for other beacons (e.g. cert_info). Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
We now only check the CN in the kubeconfig certificate if the `expected_cn` is not None. This is needed in order to avoid checking the CN in the kubeconfig beacon which will rely on this method. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This will allow to change the time a kubeconfig is valid (by changing the embedded certificates validity period). Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This beacon takes a list of kubeconfig as input and checks whether they need to be renewed or not triggering an event on Salt bus when needed. To configure this beacon, a section must be added, either in minion configuration or through the pillar, as follows: beacons: metalk8s_kubeconfig_info: - files: - /etc/kubernetes/calico.conf - /etc/kubernetes/admin.conf: notify_days: 30 - interval: 86400 - notify_days: 15 Default notify_days, if not provided, is 45. It can be overridden for a specific kubeconfig as shown above. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
These defaults will be merged with the pillar and can be overriden, they'll be used by both the certificate & kubeconfig expiry beacons, the related reactor (certs renewal) and the `x509.certificate_managed` state. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This sls setup the two beacons used to watch certificates and kubeconfig expiry. We also need to install pyOpenSSL package for cert_info beacon to work. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
Since this is needed on almost any node, let's deploy the beacons on all nodes, if there is no certificate to watch it will do nothing anyway. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This pillar entry will be consumed by the Salt beacon configuration formula. This beacon watches certificate expirations. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This pillar entry will be consumed by the Salt formulas configuring bootstrap role nodes, the beacon and the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the sls under `regen_sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This pillar entry will be consumed by the Salt formulas configuring etcd, the beacon and the reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the sls under `regen_sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This pillar entry will be consumed by Salt formulas configuring master nodes, beacon and reactor listening for certificate expiration events. If the path of an expired certificate matches one in this list, the sls under `regen_sls` will be run. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
Replace hardcoded path for calico kubeconfig in the related formulas, using the new entries under certificates key in the `defaults.yaml` file. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
Replace hardcoded path for kubelet kubeconfig in the related formulas, using the new entries under certificates key in the `defaults.yaml` file. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This orchestrate will be called by the reactor when it will receive an event for an expired certificates. It will run `sls` defined under `certs_renewal` pillar entry for each expired certificate. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This reactor will be called when an expired certificate event will be received. It will then launch an orchestrate `orchestrate.certs.renew`, passing the list of expired certificates, to renew them. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
Set up the configuration in salt master cfg for the certificate expiration reactor. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
Set up the configuration in salt master cfg for the kubeconfig expiration reactor. Refs: #1887
alexandre-allard
added a commit
that referenced
this issue
Dec 15, 2020
This tests reconfigure the beacons and override the pillar configuration to force the renewal of all the certificates and kubeconfigs. The goal is to ensure that beacons work well and that nothing is broken in the cluster even when everything is triggered at the very same time. Refs: #1887
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
complexity:medium
Something that requires one or few days to fix
kind:enhancement
New feature or request
Component: Salt
Why this is needed: To be able to rotate metalk8s certificates and generate short living certificates to improve the security of the metalk8s cluster.
What should be done: A system that handle the certificate rotation
Implementation proposal (strongly recommended): Based on Salt beacon & reactor
Test plan: TBD
The text was updated successfully, but these errors were encountered: