kubedirector
kubedirector copied to clipboard
bluek8s
review cert-update process
KD generates a host cert (and a CA cert to sign it) in order to run its webhook. The host cert expires first, in one year (CA cert is 10 years).
Regenerating these certs just requires deleting the cert-containing secret and the webhook config, and then restarting KD -- which is most easily done by deleting the KD pod. I.e.
kubectl delete MutatingWebhookConfiguration kubedirector-webhook
kubectl delete secret kubedirector-validator-secret
kubectl delete pod -l name=kubedirector
...which is a process that isn't rocket science, but can almost certainly be improved.
A quick survey of some other operators shows that they automatically regenerate their certs every time they are restarted.
Another approach would be to have a configurable option for KD as to whether it should auto-self-renew these certs.
We should also survey solutions like cert-manager -- we don't want to depend on the existence of such a solution, but it could be beneficial to provide an optional integration.
