From 28975431c2968b0b79f2d52d722db6ab79bf44af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Guilherme=20Vanz?= Date: Wed, 4 Sep 2024 14:02:11 -0300 Subject: [PATCH] feat: explain how certificate rotation works. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a new page in the explanation section of the documentation to clarify how the new certification rotation works. Signed-off-by: José Guilherme Vanz Co-authored-by: John Krug --- docs/explanations/certificates.md | 50 +++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 docs/explanations/certificates.md diff --git a/docs/explanations/certificates.md b/docs/explanations/certificates.md new file mode 100644 index 0000000000..e77fccb9dc --- /dev/null +++ b/docs/explanations/certificates.md @@ -0,0 +1,50 @@ +--- +sidebar_label: Certificate rotation +sidebar_position: 21 +title: Certificate rotation +description: How Kubewarden controller manages its certificates +keywords: [ kubewarden, certificate, controller, reconciliation ] +doc-persona: [kubewarden-operator] +doc-type: [explanation] +doc-topic: [explanations, certificates] +--- + + + + + + +Since Kubewarden v1.17.0, the cert-manager dependency was removed. The +controller is able to manage all the certificates used by all the components. +This means that the controller has a new reconciliation loop that ensures the +certificates are always up-to-date and the webhook configuration is correct. + +The first certificate generation is done by the Helm chart installation. It +will generate the root CA with ten years until expiration. The Helm chart +installation also generates the controller webhook webserver certificate, +signed by the root CA. This is used by the API server to communicate with the +Kubewarden controller to validate the CRDs. It has a one year expiration. + +Once the controller starts, its reconciler renews the certificates +automatically when they are about to expire. It also updates all the +certificates and webhook configurations used by the entire Kubewarden stack. + +:::note +All the certificates generated by the Helm chart and later by the controller uses +ECDSA P256 keys. +::: + +The reconciliation loop renews certificates 60 days before expiration. The +certificates are rotated without downtime. In the root CA renewal process, this +is done by updating the webhooks to use a CA bundle with the new root CA and +the old root CA. This allows the API server to continue to communicate with the +Kubewarden controller while the new certificate is being propagated. + +Once the new certificate is ready and the old one is invalid, the controller +will update the webhook configuration to use the new certificate only. + +When a policy server certificate or the controller webserver certificate is +renewed, the controller updates the secret with the new certificate signed by +the root CA. Due to this reload feature, the controller, and the policy server, +use the new certificate with no need to restart processes, hence no downtime. +