keda: cert-manager: rotate CA every 9 months #711
Conversation
Signed-off-by: Jan Wozniak <[email protected]>
|
Hi @wozniakjan , I think it is not quite right. The defaults at the moment rotate the leaf certificate 8 months before it expires which means they are changed every 4 months not 2. Furthermore the dates by which the leaf are renewed are user configurable. To me the best solution would be as follows:
That would always ensure there is a renewal of a leaf certificate in the overlap of a root ca renewal. A slightly more complicated math applies if we also allow the configuration of the |
silly me, you are of course correct, 5840h is 8 months, not 10 :) I like your proposal, given you went through the hard part of figuring out the details, would you like to send a PR as well? I'm happy to review it and close mine. Alternatively, I should be able to craft this PR better sometime next week. |
|
Thanks @wozniakjan Sure thing :) Let me try to sneak in the MR today and at worst monday morning. |
|
@wozniakjan I wasn't technicall enough with helm to do the check automatically unfortunatlly |
|
no worries @tete17, I'm going to take a look at your PR later this week. I now realize we may want to consider keeping some sane default for |
|
superseded by #712 |
The CA is self-signed for 1 year with a rotation set 1 month before its own expiration.
The cert signed by the CA is also signed for 1 year with a rotation
108 months before expiration (so rotating every24 months).That theoretically means the CA, a month before its expiration, can sign a cert for 1 year (scheduled to rotate in
24 months). But the cert will be rejected during TLS handshake in a month + 1 day because when evaluating the chain, the signing CA has expired at that point.This PR adds extra rotation buffer, rotating CA every
97 months (35 months before expiration) so when it signs certs scheduled to rotate in24 months, it doesn't expire meanwhile.Checklist
Fixes #710