Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
n
nutritious-apartment-10061
09/28/2022, 5:16 PMwhere does k3s store the client-ca and in how much pain would I be if I rotate it?
n
nutritious-tomato-14686
09/29/2022, 9:01 PMK3s can auto rotate the certs https://docs.k3s.io/advanced#certificate-rotation
The cert is located in
var/lib/rancher/k3s/server/tls/client-ca.crtYou can also use the
k3s certificateProcess is not documented (TODO for me), but you
1. stop the k3s server
2. run
k3s certificate rotaten
nutritious-apartment-10061
09/30/2022, 5:56 AMk3s certificate rotate specifically doesn’t rotate that one, that's why I’m here :)
literally removing that file makes k3s recreate it
n
nutritious-tomato-14686
09/30/2022, 7:11 PMYeah I chatted with @fancy-guitar-13855 (he wrote the cert rotation command) and he mentioned that you can just delete that file and K3s will make a new one.
n
nutritious-apartment-10061
09/30/2022, 7:12 PMhttps://github.com/k3s-io/k3s/blob/master/pkg/cli/cert/cert.go#L125-L184 I can't find the place in the code where it removes the client ca though
and in here https://github.com/k3s-io/k3s/issues/5147#issuecomment-1048269049 it's stated that the client ca is indeed not rotated
I'm fine if I need to go thorugh the hoops to rotate it; I just want to know which those involve 🙂
n
nutritious-tomato-14686
09/30/2022, 7:14 PMSo I got more info and we specifically don't rotate any ca* certs because its a Back-Compat thing with RKE1.
When you removed the file, K3s regenerated a new one?
n
nutritious-apartment-10061
09/30/2022, 7:16 PMnope; it restored the old cert from someplace
I stopped k3s, rm-rf'ed the client-ca*, started it and got the same client-ca back
that's still confusing as to how that works
n
nutritious-tomato-14686
09/30/2022, 8:36 PMOkay I did some more digging. Currently, there is no easy way to regenerate the client or server -ca keys/crts. This is because we cache the keys in the etcd/db. They are static for the life of that cluster. If you kill the cluster and remove the files, on restart, k3s will simple pull down the cached version from the DB and regenerate them.
The only way to get new keys is to completely wipe out the K3s cluster...
k3s server --cluster-resetn
nutritious-apartment-10061
09/30/2022, 9:57 PMaha, I thought they'd be in etcd; that explains it.
a bit unfortunate; but yeah; wiped the cluster, learned my lesson. No more CA auth.