CryptOS should be able to act as the external PKI for a Kubernetes cluster that it is not part of, so the cluster's trust is rooted in CryptOS rather than a self-signed per-cluster CA.
For such a cluster that could mean anchoring the internal control-plane communication (the API server, etcd peer and client certs, kubelet certs, the front proxy), which would typically chain through a per-cluster subordinate CA (see #109); client certificates for admin and operator access to the API server; and even Talos itself, where a Talos cluster's own machine and cluster PKI could be rooted in CryptOS instead of Talos-generated self-signed roots.
This is the broader "CryptOS is the cluster's foundational CA" story. cert-manager (#110) covers in-cluster workload and ingress certificates over ACME; this issue is about the cluster's identity itself. It leans on subordinate CA issuance (#109), client certificates (#112), and getting the CryptOS root and intermediate trusted inside the cluster.
Not scheduled. Whether each cluster gets its own sub-CA or issues directly, how a cluster bootstraps trust in CryptOS, and the integration with kubeadm or Talos machine config are still open.
CryptOS should be able to act as the external PKI for a Kubernetes cluster that it is not part of, so the cluster's trust is rooted in CryptOS rather than a self-signed per-cluster CA.
For such a cluster that could mean anchoring the internal control-plane communication (the API server, etcd peer and client certs, kubelet certs, the front proxy), which would typically chain through a per-cluster subordinate CA (see #109); client certificates for admin and operator access to the API server; and even Talos itself, where a Talos cluster's own machine and cluster PKI could be rooted in CryptOS instead of Talos-generated self-signed roots.
This is the broader "CryptOS is the cluster's foundational CA" story. cert-manager (#110) covers in-cluster workload and ingress certificates over ACME; this issue is about the cluster's identity itself. It leans on subordinate CA issuance (#109), client certificates (#112), and getting the CryptOS root and intermediate trusted inside the cluster.
Not scheduled. Whether each cluster gets its own sub-CA or issues directly, how a cluster bootstraps trust in CryptOS, and the integration with kubeadm or Talos machine config are still open.