Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
f
fierce-accountant-13638
01/09/2023, 4:21 PMHello 👋 I recently updated my k3s installation and my TLS certificates are no longer being signed by my root CA. I injected my certificates based on the instructions here: https://github.com/k3s-io/k3s/issues/1868#issuecomment-639690634 Did the certificate handling change? Is there a better documented way to use my private root CA to sign the CAs used by k3s? My goal is to be able to validate the certs when pushing changes with kubectl.
c
creamy-pencil-82913
01/09/2023, 4:30 PMthat isn’t technically supported. If you self-sign your own certs then you need to be sure that they don’t get within 90 days of expiring, or K3s will renew them using its managed CA certs.
We don’t currently have any option to tell K3s not to manage the certificates. If it needs a new cert, or needs to renew a cert, it will generate one.
we haven’t changed anything in that space so I suspect they just came up for renewal and K3s took care of them.
What we will eventually support is using K3s cluster CAs that are signed by an external CA. That should come soon-ish.
😛artyparrot: 1
f
fierce-accountant-13638
01/09/2023, 4:34 PMWould that be using ACME requests?
Or something similar?
I just have the keys locally and am using the
tlsc
creamy-pencil-82913
01/09/2023, 4:37 PMno, just by signing the cluster CA with an external cert. ACME support would be cool but there’s a lot of overhead associated with that. We just do it all locally using the CA cert+keys
Check out https://github.com/k3s-io/k3s/blob/c8caa4b51c67db6be268839866da81a77414ba96/docs/adrs/ca-cert-rotation.md for what that will probably look like.
f
fierce-accountant-13638
01/09/2023, 4:40 PMOK cool. I was guessing on ACME. If there's a list of where to put the generated certs, that's actually easier for me.
That documentation looks great! I'll take a look in a little bit and see if that works for me. Thank you!
I see what you mean by eventually. Is there mailing list or something where I would see this feature? I'd love to see updates about k3s (and longhorn and rancher desktop)
c
creamy-pencil-82913
01/09/2023, 5:07 PMjust github
the PR is at https://github.com/k3s-io/k3s/pull/6615, you can hit the subscribe button there to get notifications from GH when it is updated.
f
fierce-accountant-13638
01/09/2023, 5:09 PMNice! Subscribed.
Could I bother you with another mostly unrelated question?
c
creamy-pencil-82913
01/09/2023, 5:17 PMsure
f
fierce-accountant-13638
01/09/2023, 5:23 PMIs there a way to replace the Traefik default certificate using only Kubernetes manifests?
I've tried setting up a TLSStore and I have it working for one service, but I'd like to override the cert for the default error handlers that print 404 Not Found or 503 Service Unavailable
I haven't been able to get the TLSStore working for those endpoints
c
creamy-pencil-82913
01/09/2023, 5:36 PMI think you can point it at a tlsstore for the default with a CLI flag? I’m not sure tbh, I’m not a Traefik expert
f
fierce-accountant-13638
01/09/2023, 6:49 PMI figured it out, the TLSStore needed to be in the
defaultc
creamy-pencil-82913
01/09/2023, 7:05 PMyeah the docs can be a little hard to parse at times