Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotate TLS certificates #819

Closed
Tracked by #7
fabriziosestito opened this issue Jul 22, 2024 · 0 comments · Fixed by #829
Closed
Tracked by #7

Rotate TLS certificates #819

fabriziosestito opened this issue Jul 22, 2024 · 0 comments · Fixed by #829
Assignees
@fabriziosestito
Labels
kind/enhancement kind/feature
Milestone
1.17

Comments

@fabriziosestito
Copy link
Contributor

fabriziosestito commented Jul 22, 2024
edited
Loading

Create a runnable CertController that periodically checks if it's time to rotate the TLS certificates.
A look-ahead interval must be used so that certificates are always propagated enough time before the expiration.

We need to check:

  • webhook controller TLS certificate
  • policy servers TLS certificates

Since the certificates are stored in secrets, which are mounted on the controller and policy server pods, we are sure the changes will be eventually propagated due to respectively the certwatcher and the hot-reload mechanisms.

We assume the lookahead time is enough for the watchers to pick up the updates.

The runnable should only run on the leader.
The renewed certificates should use the same bit-size and settings as the ones generated by the helm genSignedCert function.

This repository could act as a reference: https://github.com/open-policy-agent/cert-controller/
@fabriziosestito fabriziosestito mentioned this issue Jul 22, 2024
Closed
13 tasks
@fabriziosestito fabriziosestito changed the title Rotate expired TLS certificates Rotate TLS certificates Jul 22, 2024
@fabriziosestito fabriziosestito mentioned this issue Jul 22, 2024
Closed
@fabriziosestito fabriziosestito self-assigned this Jul 22, 2024
@fabriziosestito fabriziosestito added this to the 1.16 milestone Jul 22, 2024
This was referenced Jul 22, 2024
Closed
Closed
Merged
@viccuad viccuad modified the milestones: 1.16, 1.17 Aug 20, 2024
@fabriziosestito fabriziosestito mentioned this issue Sep 3, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fabriziosestito fabriziosestito

Labels
kind/enhancement kind/feature
Projects
Kubewarden
Archived in project
Milestone
1.17
Development

Successfully merging a pull request may close this issue.

feat: certificate rotation fabriziosestito/kubewarden-controller
2 participants
@fabriziosestito @viccuad