Certgen: provide parameter for setting expiry date for gRPC certificates #2017
Labels
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Comments
jpeach
added
the
priority/important-soon
|
You make a fair point, and I think that Proposal 2 is probably better for now. I've raised #2020 to cover us writing documentation about the rotation process, as the first step towards deciding if it's automatable. Envoy supports hot reload for lots of things, but the xDS connection is a bit tricky as it's possible to break the connection, rendering the Envoy un-updateable without a restart. So any automation of this rotation will need to be carefully tested. |
|
Sorry for the inconsistent advice @tsaarni, but we now agree that Proposal 1 is preferable :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently certgen generates gRPC certificates with fixed one year expiration period. Contour does not yet support rotation of gRPC certificates. It is expected that users will handle this.
Assumption: Many users will miss the documentation and unknowingly set a "time bomb" which will cause an incident in 365 days.
Proposal 1: add a parameter to certgen for users to set the expiration date for the gRPC certificates.
Proposal 2: as long as there is no automated enrollment, use default expiration period that will NOT expire in any reasonable time.
Certificates are preferably rotated but due to lack of automation at this point, there is a high risk that user will not be prepared for it either. In that case, never expiring certificate is better than expired certificate. Added security risk is negligible.
The text was updated successfully, but these errors were encountered: