Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
9b6b7294
Commit
9b6b7294
authored
Jan 13, 2023
by
Brad Davidson
Committed by
Brad Davidson
Feb 06, 2023
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Clarify ADR based on design review feedback
Signed-off-by:
Brad Davidson
<
brad.davidson@rancher.com
>
parent
f13768c2
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
8 additions
and
2 deletions
+8
-2
ca-cert-rotation.md
docs/adrs/ca-cert-rotation.md
+8
-2
No files found.
docs/adrs/ca-cert-rotation.md
View file @
9b6b7294
...
@@ -70,14 +70,20 @@ clients using tokens signed by the old key have received new tokens.
...
@@ -70,14 +70,20 @@ clients using tokens signed by the old key have received new tokens.
## Decision
## Decision
*
K3s will allow for use of CA certificates signed by an arbitrary set of external root/intermediate CAs.
*
K3s will allow for use of CA certificates signed by an arbitrary set of external root/intermediate CAs.
*
K3s will allow for non
disruptive
renewal or replacement of the CA certificates and keys, if the cluster was
*
K3s will allow for non
-disruptive
[
^1
]
renewal or replacement of the CA certificates and keys, if the cluster was
originally started using user-provided certificates signed by an external CA.
originally started using user-provided certificates signed by an external CA.
*
K3s will allow for disruptive renewal or replacement of cluster CA certificates and keys, if the cluster was
*
K3s will allow for disruptive
[
^2
]
renewal or replacement of cluster CA certificates and keys, if the cluster was
originally started with autogenerated self-signed CAs.
originally started with autogenerated self-signed CAs.
*
K3s will provide example tooling to allow users to generate cluster CA certificates and keys prior to initial
*
K3s will provide example tooling to allow users to generate cluster CA certificates and keys prior to initial
cluster startup, and provide tooling and process documentation to update the bootstrap data and prepare agents
cluster startup, and provide tooling and process documentation to update the bootstrap data and prepare agents
to trust the new certificates (if necessary)
to trust the new certificates (if necessary)
[
^1
]:
Non-disruptive
renewal requires no change to node configuration. The service only needs to be restarted.
[
^2
]:
Disruptive
renewal requires changes to the K3s CLI flags, configuration file, or environment variables
prior to restarting the service. Additionally, the cluster may experience a temporary outage while the
configuration change has been affected to all nodes, due to cluster nodes temporary not sharing a common
root of trust.
## Consequences
## Consequences
This will require additional documentation, CLI subcommands, and QA work to validate the process steps.
This will require additional documentation, CLI subcommands, and QA work to validate the process steps.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment