Support certificate chains when using custom certs

[byo]

RKE version:
1.0.0

When specifying custom certificates, RKE assumes that the specified CA directly signs final certificates for kubernetes components. There's no way to specify custom certificates using intermediate CA:

• validation of certificates fails due to issuer name mismatch (i.e. https://github.com/rancher/rke/blob/adc5941/pki/util.go#L773)
• there's no way to inform kubernetes components to serve whole certificate chain instead of just their own certificate

Such intermediate-CA setup would be beneficial in case of intermediate CA rotation as is in our case - it's only needed to supply the long-lived, offline root CA to clients to trust the rotated intermediate certificates.

gz#12775

[devopsmariocom]

@byo do I understand it correctly that you want to just paste intermediate CA to rke and let rke to generate component certs for you same as kubeadm does https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#external-ca-mode?

[byo]

@ElMarioFredo My use-case is when rke does not generate certificates nor keys at all, those are created outside and passed through --custom-certs flag:

rke up --config <config_file> --custom-certs --cert-dir <certs_dir>`

[dje4om]

I tried to provide RKE custom certs a kube-ca.pem with the chain CA (the root CA and intermediate CA) in the same file, wich is valid for openssl, but when rke deploy the certificates on nodes, the kube-ca.pem keep only one cert, so all the chain is invalid.

[stoff1973]

@ElMarioFredo Can we apply the "KISS" principle?
Because, IMHO, I don't think RKE has any good reason to modify these certificates while I explicitly use the "--custom-certs" option.
"Custom" should be understood as "I've craft these files so I don't want RKE change anything in them"

[devopsmariocom]

Thanks @byo and @stoff1973 for reply, as I mentioned I like how kubeadm is handling certificate generation for you from custom CA.

I understand that it's simpler to apply KISS here, but this leads to clusters running on self signed certificates which is IMHO security bad practice when company have its own CA.

[stoff1973]

For me, there is no relationship between providing a complete chain (CA + intermediate) and using a self-signed certificate.
Talking about kubeadm, there is some commits about this issue :
kubernetes/kubernetes#97266