tool for updating TLS assets in existing kube-aws clusters #561
Comments
|
I believe the 90 days limit was intentional (kube-aws is still very much in development and you should probably make a habit out of re-rolling your cluster). #340 luckily already has this listed as a work item, so this'll get fixed eventually. With some work being done in kubernetes upstream (kubernetes/kubernetes#25562) this will probably get easier. |
|
@pieterlange this is correct- we don't want to prescribe an inadequate PKI-like solution, so we'd rather leave certificate rotation entirely open ended until we have a reasonable solution. If you're interested in this problem, there is some upstream work in this direction here |
|
Does #608 address this, via |
|
@iameli yes it does! (though beware we are going to change the semantics of those cli commands!) You'll be able to choose from following options:
|
|
It is great that kube-aws will be able to generate sustainable certs. In the interim I had rolled a rough script to generate certs compatible with kube-aws that won't lock us out in a couple months :-) https://github.com/whereisaaron/coreos-kubernetes-generate-certs But being able to update certs across a running cluster is the key missing piece for me. |
I recently hit the 90 day mark on a development cluster built with kube-aws. This was a non production cluster, so I used the default crypto assets. They worked great! The certificates are minted with a fairly short, 90 day lifetime, which makes a lot of sense, but once they expired, it'd be nice to be able to issue new certs. My dream feature would be to type something like
kube-aws renewin the presence of my existingcluster.yamland credentials.The text was updated successfully, but these errors were encountered: