Skip to content

feat(pki): serve as the external PKI/CA for a Kubernetes (incl. Talos) cluster's internal + API certs #113

Description

@Bugs5382

CryptOS should be able to act as the external PKI for a Kubernetes cluster that it is not part of, so the cluster's trust is rooted in CryptOS rather than a self-signed per-cluster CA.

For such a cluster that could mean anchoring the internal control-plane communication (the API server, etcd peer and client certs, kubelet certs, the front proxy), which would typically chain through a per-cluster subordinate CA (see #109); client certificates for admin and operator access to the API server; and even Talos itself, where a Talos cluster's own machine and cluster PKI could be rooted in CryptOS instead of Talos-generated self-signed roots.

This is the broader "CryptOS is the cluster's foundational CA" story. cert-manager (#110) covers in-cluster workload and ingress certificates over ACME; this issue is about the cluster's identity itself. It leans on subordinate CA issuance (#109), client certificates (#112), and getting the CryptOS root and intermediate trusted inside the cluster.

Not scheduled. Whether each cluster gets its own sub-CA or issues directly, how a cluster bootstraps trust in CryptOS, and the integration with kubeadm or Talos machine config are still open.

Metadata

Metadata

Assignees

Labels

enhancementNew feature (feat). Minor version bump.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions