github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/docs/proposals/certs-mgmt.md

github.com/jlmeeker/kismatic@v1.10.1-0.20180612190640-57f9005a1f1a/docs/proposals/certs-mgmt.md (about)

     1  # Certificate Management
     2  
     3  Status: Proposal
     4  
     5  This proposal extends the initial certificates CLI with day-2 operations, such 
     6  as validation of deployed certificates and certificate redeployment.
     7  
     8  ## Use Cases
     9  * As an operator, I want to check the validity of all certificates currently in use on the cluster
    10  * As an operator, I want to redeploy certificates that are nearing their expiration date
    11  * As an operator, I want to redeploy certificates with a new CA without having to reinstall my cluster
    12  
    13  ## Certificate Validity Check
    14  A command that can be run against an existing cluster to validate the certificates that are deployed on the cluster. Certificates that are withing the warning window will be flagged. Certificates that have expired will be flagged.
    15  
    16  ```
    17  kismatic certificates validate [options]
    18  ```
    19  
    20  Output: TBD. Most likely the execution output from an ansible playbook run to keep orchestration in ansible, but potentially a listing of per-node certificates:
    21  ```
    22  # kismatic certificates validate
    23  Node: etcd
    24  Certificate          Expires
    25  Etcd server          09/08/2017 10:00 AM
    26  
    27  Node: master01
    28  Certificate          Expires         
    29  API server           09/08/2017 10:00 AM
    30  Scheduler client     EXPIRES SOON (06/08/2017 10:00 AM)
    31  ...
    32  
    33  Node: worker01
    34  Certificate          Expires
    35  Kubelet client       EXPIRED (09/08/2016 10:00 AM)
    36  ```
    37  
    38  Pre-conditions:
    39  * SSH access to nodes
    40  
    41  Options:
    42  * `--warning-window`: Warn about certificates that will expire within this number of days. Defaults to 45 days if not set.
    43  
    44  ## Certificate Redeployment
    45  A command that can be used to deploy certificates on existing machines. If the certificates have not been generated, the command will generate the certificates for the cluster described in the plan file (As if an installation was being performed), and deploy them to the nodes.
    46  
    47  Services are restarted whenever required.
    48  
    49  ```
    50  kismatic certificates deploy
    51  ```
    52  
    53  Output: Execution of ansible play for deploying certs.
    54  
    55  Pre-conditions:
    56  * SSH access to nodes
    57  
    58  
    59  ## Other considerations
    60  * Have to figure out the mechanics of certificate redeployment. I _think_ service accounts 
    61  would have to be recreated if the CA changes, or if the service account signing cert changes.