# Support CA Certificate Renewal / Rotation, Signing by External Root Date: 2022-12-19 ## Status Accepted ## Context On the first startup of a new cluster, K3s currently autogenerates a number of self-signed cluster CAs and keys: * Cluster Server CA + Key (used to sign server certificates) * Cluster Client CA + Key (used to sign client certificates) * Request Header CA + Key (used to sign certificates for apiserver aggregation) * etcd Peer CA + Key (used to sign certificates for authentication between etcd peer servers) * etcd Client CA + Key (used to sign certificates for etcd clients, ie the apiserver) * ServiceAccount Token Signing Key (used to sign ServiceAccount JSON Web Tokens) These CAs are all self-signed, without any cross-signing or common root or intermediates, and are valid for 10 years. When any of these certs expire, any certificates issued will be invalid, causing a significant outage to the cluster. ### Server CA Pinning The Cluster Server CA is used in node bootstrapping. The full `K10` format token includes a SHA265 sum of the Cluster Server CA file's on-disk PEM representation. Nodes that join the cluster using a full token perform a set of checks when starting up: 1. Download the cluster server CA bundle from `/v1-k3s/cacert` on the server they are joining. 2. Validate that the hash of the bytes in the CA bundle match the hash string following the `K10` prefix in the token. 3. Validate that the certificate presented by the server they are joining can be validated using the roots and intermediates present in the CA bundle. Realistically, this hash should have instead been derived from the DER encoding of the root certificate in that bundle, as PEM format allows for variable padding, line lengths, and so on. Only DER format is guaranteed to be stable, and hashing only the root of the chain would have allowed for rotating or renewing intermediate CAs without breaking trust between cluster nodes. ### Bootstrap Data Immutability There is not currently any way to write new certificates to the datastore. The certificates and keys are written to disk once on initial startup, and from there written to the cluster datastore. From that point on, the files in the datastore are considered authoritative; replacing the files on disk will result in either replacement, or error, depending on whether or not the files on disk are newer than those in the datastore. The `secrets-encrypt` subcommand does currently mutate the bootstrap data, but it only touches the secrets encryption configuration, not the CA certs or keys. ### Summary For both of the above reasons (hash pinning, and lack of rewriteability) it is not currently possible to renew or replace the cluster CA certs or keys. ### Additional Considerations #### Aggressive Certificate Rotation Some users (particularly government or financial customers) attempt to implement the guidance from [NIST SP 800-57 Part 1 Rev. 5](https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final). This document would see users signing cluster CAs with a set of organizational root and intermediate certificates, and rotating both the intermediate and cluster CA certificates and keys on at least a yearly basis. #### ServiceAccount Signing Key Rolling Replacement While the ServiceAccount signing key is not signed by any CA, rotation of the key must be done carefully so as to avoid causing an outage. The apiserver and controller-manager must be updated to use a new key, while still trusting the old key for a period of time. The old key can then be removed at a later date, once all clients using tokens signed by the old key have received new tokens. ## Decision * K3s will allow for use of CA certificates signed by an arbitrary set of external root/intermediate CAs. * K3s will allow for non-disruptive[^1] renewal or replacement of the CA certificates and keys, if the cluster was originally started using user-provided certificates signed by an external CA. * K3s will allow for disruptive[^2] renewal or replacement of cluster CA certificates and keys, if the cluster was originally started with autogenerated self-signed CAs. * K3s will provide example tooling to allow users to generate cluster CA certificates and keys prior to initial cluster startup, and provide tooling and process documentation to update the bootstrap data and prepare agents to trust the new certificates (if necessary) [^1]: Non-disruptive renewal requires no change to node configuration. The service only needs to be restarted. [^2]: Disruptive renewal requires changes to the K3s CLI flags, configuration file, or environment variables prior to restarting the service. Additionally, the cluster may experience a temporary outage while the configuration change has been affected to all nodes, due to cluster nodes temporary not sharing a common root of trust. ## Consequences This will require additional documentation, CLI subcommands, and QA work to validate the process steps.