This message was deleted Rancher Users #k3s

Join Slack

This message was deleted.

# k3s

adamant-kite-43734

01/09/2023, 4:21 PM

This message was deleted.

creamy-pencil-82913

01/09/2023, 4:30 PM

that isn’t technically supported. If you self-sign your own certs then you need to be sure that they don’t get within 90 days of expiring, or K3s will renew them using its managed CA certs.

creamy-pencil-82913

01/09/2023, 4:31 PM

We don’t currently have any option to tell K3s not to manage the certificates. If it needs a new cert, or needs to renew a cert, it will generate one.

creamy-pencil-82913

01/09/2023, 4:32 PM

we haven’t changed anything in that space so I suspect they just came up for renewal and K3s took care of them.

creamy-pencil-82913

01/09/2023, 4:32 PM

What we will eventually support is using K3s cluster CAs that are signed by an external CA. That should come soon-ish.

🦜 1

fierce-accountant-13638

01/09/2023, 4:34 PM

Would that be using ACME requests?

fierce-accountant-13638

01/09/2023, 4:34 PM

Or something similar?

fierce-accountant-13638

01/09/2023, 4:35 PM

I just have the keys locally and am using the

tls

Terraform provider to create the certs. I'll admit I have a strange setup 😅

creamy-pencil-82913

01/09/2023, 4:37 PM

no, just by signing the cluster CA with an external cert. ACME support would be cool but there’s a lot of overhead associated with that. We just do it all locally using the CA cert+keys

creamy-pencil-82913

01/09/2023, 4:39 PM

Check out https://github.com/k3s-io/k3s/blob/c8caa4b51c67db6be268839866da81a77414ba96/docs/adrs/ca-cert-rotation.md for what that will probably look like.

fierce-accountant-13638

01/09/2023, 4:40 PM

OK cool. I was guessing on ACME. If there's a list of where to put the generated certs, that's actually easier for me.

fierce-accountant-13638

01/09/2023, 4:41 PM

That documentation looks great! I'll take a look in a little bit and see if that works for me. Thank you!

fierce-accountant-13638

01/09/2023, 4:59 PM

I see what you mean by eventually. Is there mailing list or something where I would see this feature? I'd love to see updates about k3s (and longhorn and rancher desktop)

creamy-pencil-82913

01/09/2023, 5:07 PM

just github

creamy-pencil-82913

01/09/2023, 5:07 PM

the PR is at https://github.com/k3s-io/k3s/pull/6615, you can hit the subscribe button there to get notifications from GH when it is updated.

fierce-accountant-13638

01/09/2023, 5:09 PM

Nice! Subscribed.

fierce-accountant-13638

01/09/2023, 5:10 PM

Could I bother you with another mostly unrelated question?

creamy-pencil-82913

01/09/2023, 5:17 PM

sure

fierce-accountant-13638

01/09/2023, 5:23 PM

Is there a way to replace the Traefik default certificate using only Kubernetes manifests?

fierce-accountant-13638

01/09/2023, 5:25 PM

I've tried setting up a TLSStore and I have it working for one service, but I'd like to override the cert for the default error handlers that print 404 Not Found or 503 Service Unavailable

fierce-accountant-13638

01/09/2023, 5:25 PM

I haven't been able to get the TLSStore working for those endpoints

creamy-pencil-82913

01/09/2023, 5:36 PM

I think you can point it at a tlsstore for the default with a CLI flag? I’m not sure tbh, I’m not a Traefik expert

fierce-accountant-13638

01/09/2023, 6:49 PM

I figured it out, the TLSStore needed to be in the

default

namespace. I must have looked at this documentation at least three times before seeing the Kubernetes tab: https://doc.traefik.io/traefik/https/tls/#default-certificate

creamy-pencil-82913

01/09/2023, 7:05 PM

yeah the docs can be a little hard to parse at times

5 Views

Open in Slack

Previous Next