cass-operator icon indicating copy to clipboard operation
cass-operator copied to clipboard
verified publisher icon k8ssandra

K8SSAND-1369 ⁃ Certificate rotation for cass-operator

Open Miles-Garnsey opened this issue 3 years ago • 2 comments

What is missing?

CA certificates cannot currently be rotated without downtime for cass-operator deployed clusters.

We should enable the injection of both old and new certificates during a grace period so that CAs can be rotated smoothly.

┆Issue is synchronized with this Jira Task by Unito ┆friendlyId: K8SSAND-1369 ┆priority: Medium

Miles-Garnsey avatar Mar 31 '22 02:03 Miles-Garnsey

Hey team! Please add your planning poker estimate with ZenHub @burmanm @Miles-Garnsey

jsanda avatar Apr 19 '22 18:04 jsanda

This one is relatively complex and may benefit from a preliminary research ticket. Estimates are as follows:

  • 2 days on design work to determine how this needs to work and socialise (as there are a few options and the design doc has not been approved+merged.)
  • 4 days to implement a layer of indirection so that a change to the certificates triggers a copy of the existing encryption materials before commencing rotation.
  • 4 days to implement features relating to injecting encryption materials into the truststore and combining them.

Note that I've put estimates at the higher end of the range here but I think they will be roughly accurate once we account for the need for some nuanced test cases.

Miles-Garnsey avatar Apr 20 '22 06:04 Miles-Garnsey

This work was superseded by other CA work.

burmanm avatar May 02 '24 11:05 burmanm