📖 Proposal external CA and cert sign

[moh2a]

What this PR does / why we need it:
This PR add a proposal fo fixe this issue

/area documentation

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign justinsb for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @moh2a. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[chrischdi]

Suggested change

	User -> CAPI : Provider admin certificate for kubeconfig
	User -> CAPI : Provider etcd-client certificate for etcd healthcheck and others actions.
	User -> CAPI : Provides admin certificate for kubeconfig
	User -> CAPI : Provides etcd-client certificate for etcd healthcheck and others actions.

[guettli]

@moh2a will it be possible to update an existing cluster (which was created the old way) to a cluster with external CA? I guess this will not be possible. Maybe add a about that note here.

[moh2a]

I didn't think about switching from internal CA to external CA. If you want to make this change, you'll need to ask yourself whether you want to keep the same CAs or use new ones. If you want to use new ones (I think this is the case for you, as your current CAs may already have been exposed), you will need to perform a rotation, which is not trivial: https://kubernetes.io/docs/tasks/tls/manual-rotation-of-ca-certificates/

[guettli]

@moh2a

Currently, I see these unencrypted keys are on control-planes:

• /etc/kubernetes/pki/ca.key
• /etc/kubernetes/pki/etcd/ca.key
• /etc/kubernetes/pki/front-proxy-ca.key
• /etc/kubernetes/pki/sa.key

It would be great if the proposal would list these files and provides a hint how each file will be handled

[moh2a]

It is already listed in kubernetes documentation here: https://kubernetes.io/docs/setup/best-practices/certificates/. I can refer to the link directly.

[guettli]

@moh2a thank you for the link. Please image that: An control-plane admin was fired. He is angry. He took all key-files from a node. With your proposal /etc/kubernetes/pki/ca.key is not in his hands (nice). But what about the other key-files in the above list?

[moh2a]

In my proposal, I take into account the CA keys (etcd, ca, and proxy). All other certificates derive from these CAs. Personally, I create certificates (clients/servers) with a fairly short validity period. An angry administrator with access to the control planes could only retrieve the client/server certificate keys, but would not be able to issue certificates indefinitely since the CA keys are not present on the control planes.

Regarding the service account key pair, it's a little more complicated since the kube-controller-manager needs it on demand. I suggest you read this proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/740-service-account-external-signing/README.md.

[neolit123]

i think this is something that has been desired,, which is clear from user stories, and it can ease CA rotation. but the implementation details need a lot more work and discussion here. i think also required changes in the default controllers should be pointed out.

as it stands, this seems to me more as an idea doc and less like a full CAEP.

[neolit123]

you should note that this should be an opt-in feature. as much as it improves the security stance, external ca is not something the majority of users care about.

[neolit123]

i think externalCA aligns best with the entire picture but needs a loaded API field comment to cover what it actually entails.

ideally this field should be wrapped in a feature gate tracking it's graduate from alpha->beta->GA.

[neolit123]

would controller logs be the location where errors would surface for users that did not prepare the cert secrets correctly?

[neolit123]

this would require secret format spec, examples and encoding rules.

[neolit123]

what about the client certificate keys?

[neolit123]

how would the init/clusterconfiguration be transferred to joining control plane nodes?

what mechanism would take the CSRs from the hosts and send them to the external signer?

while ideally kubeadm CSRs should be the source of truth for any certs that kubeadm needs, calling kubeadm commands on the node hosts and then sending CSRs over the network sounds complicated.

also who is going to call the kubeadm commands on the node hosts?
i'd assume cloud init, but is that going to be somehow part of the default capi behavior if the externalCA mode is enabled?

[neolit123]

Suggested change

	As a Cluster API user I want that cluster-api provide all necessary configuration to bootstrap providers to be compatible with external signing, so that I can maintain secure certificate flows regardless of the underlying bootstrap mechanism.
	As a Cluster API user I want that it provides all necessary configuration to bootstrap providers to be compatible with external signing, so that I can maintain secure certificate flows regardless of the underlying bootstrap mechanism.

[neolit123]

how can that be done in a bootstrap provider agnostic way? the proposal earlier speaks about kubeadm KCP and CABPK mechanisms like generate-csr but i didn't see any notes about generalization and abstraction.

[neolit123]

here you'd have to cover how a cluster can enabled the feature on upgrade and roll it back on failure.