Provision K8s cluster root CA from Vault
requested to merge bruno.sc/655-provision-kubernetes-cluster-ca-from-vault into 655-regression-restore-kubernetes-certificate-signing-ability
Version Control Information
Source branch: bruno.sc/655-provision-kubernetes-cluster-ca-from-vault
Target branch: 655-regression-restore-kubernetes-certificate-signing-ability
Commits:
* Provision K8s cluster root CA from Vault
Fetches the private key of the Kubernetes cluster root CA from Vault (kv store)
and makes it available on the control plane.
The provisioning is only done if
`[kubernetes.controller_manager].enable_signing_requests=true` is set in the
config.
Part-of: #655
* Backup K8s cluster root CA to Vault kv store
Extends the K8s cluster root CA creation to immediately backup the CA's private
key in Vault's key value store in order to retain access to it.
Continued access is necessary to distribute the backed up private key to the
K8s control plane as a short term regression fix for restoring Kubernetes'
ability to respond to certificate signing requests.
Part-of: #655
Note to reviewers
Commits will be auto-squashed after review.
Merge Prerequisites
-
MR title (and description) are descriptive -
Code is readable and syntactically correct -
Code is understandable -
Documentation has been updated, if necessary -
Commit messages look good -
Release note file added in latest commit
Bases-on: fix/keep-kubernetes-ca (!1201 (merged))
After: !1201 (merged)
Part-of: #655 (closed)
Edited by brunos