GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → SUSE → kucero

SUSE / kucero

Licence: Apache-2.0 License
KUbernetes CErtificate ROtation

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Makefile
30231 projects
Dockerfile
14818 projects

Labels

kubernetescertificatekubeadmkubelet

Projects that are alternatives of or similar to kucero

BTCert
BTCert authenticates academic certificates by means of a digital credential that allows immediate verification by third parties. BTCerts uses blockchain and cryptographic techniques to create a certification infrastructure based on the standard Blockcerts
Stars: ✭ 21 (-22.22%)
Mutual labels:  certificate
ght-acme.sh
Shell script to sign certificate by the letsencrypt CA
Stars: ✭ 31 (+14.81%)
Mutual labels:  certificate
security-trust-settings-tools
🔒 OS X Keychain Trust Settings Tools.
Stars: ✭ 19 (-29.63%)
Mutual labels:  certificate
frida-android-unpinning
A Frida script to disable SSL certificate pinning in a target application
Stars: ✭ 186 (+588.89%)
Mutual labels:  certificate
concerto
A command line tool and a library to generate TLS certificates for development purposes.
Stars: ✭ 34 (+25.93%)
Mutual labels:  certificate
letsencrypt-inwx
A small cli utility for automating the letsencrypt dns-01 challenge for domains hosted by inwx.
Stars: ✭ 43 (+59.26%)
Mutual labels:  certificate
jenkins-blue
Quickly provision jenkins blue ocean on kubernetes with persistent configuration
Stars: ✭ 20 (-25.93%)
Mutual labels:  kubeadm
service-identity
Service Identity Verification for Python
Stars: ✭ 78 (+188.89%)
Mutual labels:  certificate
cert-manager
Automatically provision and manage TLS certificates in Kubernetes
Stars: ✭ 8,781 (+32422.22%)
Mutual labels:  certificate
efm-certvalidator
Certificate validator for X.509 certificates.
Stars: ✭ 25 (-7.41%)
Mutual labels:  certificate
certexfil
Exfiltration based on custom X509 certificates
Stars: ✭ 18 (-33.33%)
Mutual labels:  certificate
website-checks
check your website for issues with multiple tools and get PDF reports of the results
Stars: ✭ 69 (+155.56%)
Mutual labels:  certificate
django-yadpt-starter
Yet Another Django Project Template skeleton for Django projects
Stars: ✭ 28 (+3.7%)
Mutual labels:  certificate
powershell-codesigning
Create and use code signing certificates with PowerShell
Stars: ✭ 16 (-40.74%)
Mutual labels:  certificate
kubernetes-deployment
No description or website provided.
Stars: ✭ 15 (-44.44%)
Mutual labels:  kubeadm
Mirror
Deploy Google and Wikipedia mirror with one command using now.sh.
Stars: ✭ 93 (+244.44%)
Mutual labels:  certificate
cissp-mind-map
CISSP mind map, 8 domains, 2020 edition, OSG/AIO eighth edition, 8th
Stars: ✭ 31 (+14.81%)
Mutual labels:  certificate
qsslcaudit
test SSL/TLS clients how secure they are
Stars: ✭ 22 (-18.52%)
Mutual labels:  certificate
laravel-ohdear-webhooks
Handle Oh Dear webhooks with ease in a Laravel app
Stars: ✭ 18 (-33.33%)
Mutual labels:  certificate
observatory-exporter
Prometheus exporter for Mozilla Observatory
Stars: ✭ 31 (+14.81%)
Mutual labels:  certificate
View All Similar Projects ➔

CI

kucero

Introduction

Kucero (KUbernetes CErtificate ROtation) is a Kubernetes daemonset that performs automatic Kubernetes control plane certificate rotation.

Kucero takes care both:

  • kubeadm certificates and kubeconfigs: kucero periodically watches the kubeadm generated certificates and kubeconfigs on host system, and renews certificates/kubeconfigs when the certificates/kubeconfigs residual time is below than user configured time period.
  • kubelet certificates:
    • kubelet.conf: kucero helps on auto-update the /etc/kubernetes/kubelet.conf from embedded base64 encoded client cert/key to using the local file /var/lib/kubelet/kubelet-client-current.pem (this is a bug if you bootstrap a cluster with kubeadm version < 1.17).
    • client certificate: kucero helps on configuring rotateCertificates: true or rotateCertificates: false in /var/lib/kubelet/config.yaml which controls to auto rotates the kubelet client certificate or not. When configures rotateCertificates: true, the kubelet sends out the client CSR at approximately 70%-90% of the total lifetime of the certificate, then the kube-controler-manager watches kubelet client CSR, and then auto signs and approves kubelet client certificates with Kubernetes cluster CA cert/key pair.
    • server certificate: kucero helps on configuring serverTLSBootstrap: true or serverTLSBootstrap: false in /var/lib/kubelet/config.yaml which controls to auto rotates the kubelet server certificate or not. When configures serverTLSBootstrap: true, the kubelet sends out the server CSR at approximately 70%-90% of the total lifetime of the certificate, then the kucero controller watches kubelet server CSR, and then auto signs and approves kubelet server certificates with user-specified CA cert/key pair.

Kubelet Configuration

By default, kucero enables kubelet client rotateCertificates: true and server certificates serverTLSBootstrap: true auto rotation, you could disable it by passing flags to kucero:

  • --enable-kubelet-client-cert-rotation=false
  • --enable-kubelet-server-cert-rotation=false

Build Requirements

  • Golang >= 1.16
  • Docker
  • Kustomize

Container Requirement Package

  • /usr/bin/nsenter

Kubeadm Compatibility

  • kubeadm >= 1.15.0

Installation

make docker-build IMG=<YOUR-DOCKER-REPOSITORY-IMAGE-NAME-TAG>
make docker-push IMG=<YOUR-DOCKER-REPOSITORY-IMAGE-NAME-TAG>
make deploy-manifest IMG=<YOUR-DOCKER-REPOSITORY-IMAGE-NAME-TAG>

Configuration

The following arguments can be passed to kucero via the daemonset pod template:

Flags:
      --ca-cert-path string         sign CSR with this certificate file (default "/etc/kubernetes/pki/ca.crt")
      --ca-key-path string          sign CSR with this private key file (default "/etc/kubernetes/pki/ca.key")
      --ds-name string              name of daemonset on which to place lock (default "kucero")
      --ds-namespace string         namespace containing daemonset on which to place lock (default "kube-system")
      --enable-kucero-controller    enable kucero controller (default true)
  -h, --help                        help for kucero
      --leader-election-id string   the name of the configmap used to coordinate leader election between kucero-controllers (default "kucero-leader-election")
      --lock-annotation string      annotation in which to record locking node (default "caasp.suse.com/kucero-node-lock")
      --metrics-addr string         the address the metric endpoint binds to (default ":8080")
      --polling-period duration     certificate rotation check period (default 1h0m0s)
      --renew-before duration       rotates certificate before expiry is below (default 720h0m0s)

Uninstallation

make destroy-manifest

Demo

  • kubeadm asciicast
  • kubelet asciicast
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].