Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically rotate certificates #2910

Closed
gdemonet opened this issue Nov 2, 2020 · 2 comments
Closed

Automatically rotate certificates #2910

gdemonet opened this issue Nov 2, 2020 · 2 comments
Assignees
@alexandre-allard
Labels
complexity:medium Something that requires one or few days to fix kind:enhancement New feature or request priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed topic:operations Operations-related issues topic:salt Everything related to SaltStack in our product
Milestone
MetalK8s 2.6.0

Comments

@gdemonet
Copy link
Contributor

gdemonet commented Nov 2, 2020

Component: salt, kubernetes

Why this is needed:

Because certificates have an expiration date, and services depend on them.

See: https://twitter.com/eikke/status/1131194207920640007

What should be done:

Watch certificates TTL and automatically renew them when required (expiration in less than 7 days).
Some certificates are embedded in kubeconfig files, so special care will need to be taken around them.
Some components may need to be restarted after certficates are updated, so we will also need to make sure this is properly triggered if required.

Implementation proposal (strongly recommended):

  • Use a beacon to watch certificates (list of certificates to watch will be defined in roles pillar)
  • Send an event to renew a certificate when close to expiry (<7 days)
  • Use a reactor to react to "renew-cert" events (the state to run depends on the certificate, mapping will be stored in pillar as well)

Test plan:

Add a test to:

  • Generate a certificate with less than 7 days TTL
  • Manually trigger the beacon
  • Observe the certificate was renewed
@gdemonet gdemonet added kind:enhancement New feature or request topic:operations Operations-related issues complexity:medium Something that requires one or few days to fix priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed topic:salt Everything related to SaltStack in our product labels Nov 2, 2020
@gdemonet gdemonet added this to the MetalK8s 2.6.0 milestone Nov 2, 2020
@NicolasT
Copy link
Contributor

NicolasT commented Nov 2, 2020

Ref #2208 and #1887

@gdemonet
Copy link
Contributor Author

gdemonet commented Nov 2, 2020

Closing in favor of #1887

@gdemonet gdemonet closed this as completed Nov 2, 2020
@NicolasT NicolasT mentioned this issue Nov 20, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alexandre-allard alexandre-allard

Labels
complexity:medium Something that requires one or few days to fix kind:enhancement New feature or request priority:high High priority issues, should be worked on ASAP (after urgent issues), not postponed topic:operations Operations-related issues topic:salt Everything related to SaltStack in our product
Projects
None yet
Milestone
MetalK8s 2.6.0
Development

No branches or pull requests
3 participants
@NicolasT @alexandre-allard @gdemonet