Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy server certificate renewal #545

Closed
Tracked by #493
fabriziosestito opened this issue Oct 2, 2023 · 1 comment
Closed
Tracked by #493

Policy server certificate renewal #545

fabriziosestito opened this issue Oct 2, 2023 · 1 comment

Comments

@fabriziosestito
Copy link
Contributor

fabriziosestito commented Oct 2, 2023
edited
Loading

From time to time we need to renew the certificate issued to a Policy Server instance. The main reason
to perform this operation is to ensure the Policy Server is not using an expired certificate.

To renew a Policy Server certificate the following actions have to be done:

  • Generate new certificate, sign it with our CA
  • Force a rollout of the Policy Server deployment. This will ensure the HTTPS server uses the new certificate

Note: there's no need to touch the webhook configuration objects related to the policies
hosted by the Policy Server. The new certificate is still signed by the same CA, hence nothing has
to be changed.

Related to: https://github.com/kubewarden/rfc/blob/main/rfc/0018-certificate-handling.md#policy-server-certificate-renewed

Reconcilation loop

Reconciliation loops are triggered whenever an event dealing with a watched resource happens.
In this case it could be the create/update/delete of a PolicyServer.
The reconciliation loop is also triggered every 10 hours by SyncPeriod as a way to cope with possible glitcheswith the event notification system.

At the beginning of the reconciliation loop, the code should check the expiration date of the certificate used by the Policy Server. If the certificate is about to expire a new one should be created.
Check the previous section to see which actions have to be done in this circumstance.

The loop should also monitor changes done to the secret that holds the internal CA.
The reconciliation loop should then make sure that the Policy Server certificate has been signed by our CA.
If not, a new certificate should be issued (like during a renewal).

Note: checking if the Policy Server certificate has been issued by our CA might be computationally intense.
We have to ensure this is not going to cause a CPU spike. We could resort to do something clever using
the revision number of the Secret that holds the CA.

SyncPeriod or RequeueAfter

We'd rather be explicit by adding a configuration value and triggering the reconciliation loop via a RequeueAfter.

Refer to this discussion:
https://github.com/kubewarden/rfc/pull/24/files#r1333119954
@fabriziosestito fabriziosestito mentioned this issue Oct 2, 2023
Closed
8 tasks
@fabriziosestito
Copy link
Contributor Author

Superseded by #819 #820

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Kubewarden
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fabriziosestito