Is your feature request related to a problem? Please describe.
#496 was closed in #952, claiming
This ensures we rotate all non-CA certs periodically.
Which turned out not to be true. The certificates are NOT rotated periodically. Instead, they are only rotated on the k0s controller restart.
The problem becomes much worse when you shorten the lifetime of etcd server cert as per config -
|
CertificatesExpireAfter metav1.Duration `json:"certificatesExpireAfter"` |
The schedule for manual controller restart may become quite complex: 1 schedule to ensure the etcd server cert renewal, another schedule for other certs.
This is not feasible in some environments, especially in those that perform rare upgrades.
Describe the solution you would like
k0scontroller should watch, renew, and pick up the rotated certs fully automatically.
One way it can be done to avoid simultaneous downtime of multiple controllers is to introduce a random renewal threshold, e.g. swarmkit renews certs randomly between 50% and 80% of the cert's lifetime - https://github.com/moby/swarmkit/blob/f80b112cff7d2fa4b67eff36f0bdd2cbd05be0d8/ca/config.go#L626
Describe alternatives you've considered
- manual restart of controllers - not feasible, easy to miss
- frequent k0s upgrades - hard to accomplish in big enterprise envs
- cron jobs for restarting k0s controllers - may be complex to set up based on the k0s configuration
Additional context
No response
Is your feature request related to a problem? Please describe.
#496 was closed in #952, claiming
Which turned out not to be true. The certificates are NOT rotated periodically. Instead, they are only rotated on the k0s controller restart.
The problem becomes much worse when you shorten the lifetime of etcd server cert as per config -
k0s/pkg/apis/k0s/v1beta1/cert.go
Line 23 in df1ccae
The schedule for manual controller restart may become quite complex: 1 schedule to ensure the etcd server cert renewal, another schedule for other certs.
This is not feasible in some environments, especially in those that perform rare upgrades.
Describe the solution you would like
k0scontroller should watch, renew, and pick up the rotated certs fully automatically.
One way it can be done to avoid simultaneous downtime of multiple controllers is to introduce a random renewal threshold, e.g. swarmkit renews certs randomly between 50% and 80% of the cert's lifetime - https://github.com/moby/swarmkit/blob/f80b112cff7d2fa4b67eff36f0bdd2cbd05be0d8/ca/config.go#L626
Describe alternatives you've considered
Additional context
No response