mirror of
https://github.com/k3s-io/k3s.git
synced 2024-06-07 19:41:36 +00:00
Clarify ADR based on design review feedback
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit is contained in:
parent
f13768c247
commit
9b6b72941f
@ -70,14 +70,20 @@ clients using tokens signed by the old key have received new tokens.
|
|||||||
## Decision
|
## Decision
|
||||||
|
|
||||||
* K3s will allow for use of CA certificates signed by an arbitrary set of external root/intermediate CAs.
|
* K3s will allow for use of CA certificates signed by an arbitrary set of external root/intermediate CAs.
|
||||||
* K3s will allow for nondisruptive renewal or replacement of the CA certificates and keys, if the cluster was
|
* K3s will allow for non-disruptive[^1] renewal or replacement of the CA certificates and keys, if the cluster was
|
||||||
originally started using user-provided certificates signed by an external CA.
|
originally started using user-provided certificates signed by an external CA.
|
||||||
* K3s will allow for disruptive renewal or replacement of cluster CA certificates and keys, if the cluster was
|
* K3s will allow for disruptive[^2] renewal or replacement of cluster CA certificates and keys, if the cluster was
|
||||||
originally started with autogenerated self-signed CAs.
|
originally started with autogenerated self-signed CAs.
|
||||||
* K3s will provide example tooling to allow users to generate cluster CA certificates and keys prior to initial
|
* K3s will provide example tooling to allow users to generate cluster CA certificates and keys prior to initial
|
||||||
cluster startup, and provide tooling and process documentation to update the bootstrap data and prepare agents
|
cluster startup, and provide tooling and process documentation to update the bootstrap data and prepare agents
|
||||||
to trust the new certificates (if necessary)
|
to trust the new certificates (if necessary)
|
||||||
|
|
||||||
|
[^1]: Non-disruptive renewal requires no change to node configuration. The service only needs to be restarted.
|
||||||
|
[^2]: Disruptive renewal requires changes to the K3s CLI flags, configuration file, or environment variables
|
||||||
|
prior to restarting the service. Additionally, the cluster may experience a temporary outage while the
|
||||||
|
configuration change has been affected to all nodes, due to cluster nodes temporary not sharing a common
|
||||||
|
root of trust.
|
||||||
|
|
||||||
## Consequences
|
## Consequences
|
||||||
|
|
||||||
This will require additional documentation, CLI subcommands, and QA work to validate the process steps.
|
This will require additional documentation, CLI subcommands, and QA work to validate the process steps.
|
||||||
|
Loading…
Reference in New Issue
Block a user