You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This feature request proposes adding automated support for managing custom Certificate Authorities (CA) and associated certificates as part of the templating system within hmc. This enhancement is essential for enterprise environments with stringent security requirements that require custom CAs for internal PKI integration, specifically for the kubernetes api, etcd, sa, and proxy certificates.
Before a cluster gets created the certificates and keys used for bootstrapping need to be existing. When these certificates are available in the namespace, are named correctly and have the correct label set k0smotron will use these when the k0scontrolplane gets created. The procedure is the same as with CABPK: https://cluster-api.sigs.k8s.io/tasks/certs/using-custom-certificates
The creation of the certificates need to happen when a cluster gets created with a template.
Feature Requirements
Support for Custom CA Certificates:
Allow administrators to specify a custom CA certificate, which hmc will use.
Automated Certificate Distribution and Rotation:
Automate the distribution of these custom certificates to the appropriate namespaces of clusters.
Enable periodic or triggered certificate rotation, adhering to enterprise PKI requirements.
Potential Challenges
Certificate Rotation: Implementing automated rotation that meets both CAPI requirements and enterprise PKI policies could require a robust solution for tracking and updating certificates across the distributed system.
Configuration Complexity: Adding custom CA support may introduce complexity into the templating system, requiring careful design to maintain usability.
Multi-Distribution Support: Expanding support for additional distributions, such as EKS and AKS, introduces variability in certificate handling, as each distribution has its unique approach to CA management and certificate configuration. Ensuring consistent functionality across these different Kubernetes distributions will require handling distribution-specific differences in a standardized manner within hmc.
Benefits
Security Compliance: Meets the needs of enterprise environments with strict PKI requirements.
Ease of Use: Provides a seamless, automated experience for administrators, reducing the need for manual certificate management.
Scalability: Supports enterprise-scale deployment, where certificate rotation and management can be a challenge without automation.
The text was updated successfully, but these errors were encountered:
This feature request proposes adding automated support for managing custom Certificate Authorities (CA) and associated certificates as part of the templating system within hmc. This enhancement is essential for enterprise environments with stringent security requirements that require custom CAs for internal PKI integration, specifically for the kubernetes api, etcd, sa, and proxy certificates.
Before a cluster gets created the certificates and keys used for bootstrapping need to be existing. When these certificates are available in the namespace, are named correctly and have the correct label set k0smotron will use these when the k0scontrolplane gets created. The procedure is the same as with CABPK: https://cluster-api.sigs.k8s.io/tasks/certs/using-custom-certificates
The creation of the certificates need to happen when a cluster gets created with a template.
Feature Requirements
Potential Challenges
Benefits
The text was updated successfully, but these errors were encountered: