Replies: 1 comment
-
yes, this is what we would like to do (it's on our radar) for both Kubernetes and Talos:
I like the idea of adding additional accepted CAs which might be managed outside of the Talos cluster |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Overview
I would like to propose adding
machine.trustedCAs
field, that would include the list of trusted root CAs, that would be used instead ofmachine.ca.crt
.Why?
Separating the list of trusted CAs from
machine.ca.crt
would allow:machine.ca
machine.ca
(not sure if that would ever be needed though)I believe that this separation would make the config a little bit cleaner, as the worker would not longer need to set the
machine.ca
with an empty key, and could just set themachine.trustedCAs
field. It would make the responsibility of each field in configs a little more focused because right nowmachine.ca.crt
is used for both trust list as well as leaf certificate generation.Details
Rotating CA
If we had a separate
machine.trustedCAs
field, we could perform CA rotation in a following way:machine.trustedCAs
for all machines (that way all machines would trust both old and new CAs)machine.ca
in the control plane nodes to the new CA (crt + key)machine.trustedCAs
Separate CA for user access
With list of trusted CAs, we could use some external CA to generate certificates for the users (humans). That way, we could just add the Root CA certificate of our company into
machine.trustedCAs
and use some external CA system to manage and generate per user certificates (e.g. with short, 20h TTL). Users would then log in to the external CA (e.g. using OAuth), get certificate and then they could connect to Talos.That would avoid the need of storing the same CA in two places (both in Talos and in external CA system used to grant access for users).
Intermediate CA
We could use intermediate CA in the following way:
machine.trustedCAs
machine.ca
to Intermediate CA (crt+key)If Intermediate CA is compromised for some reason, in theory we could:
This means we would not need to change the
machine.trustedCAs
in worker nodes, and only update to control plane nodes would be required.For this to work though, we would have to ensure that:
Beta Was this translation helpful? Give feedback.
All reactions