kubewarden-controller icon indicating copy to clipboard operation
kubewarden-controller copied to clipboard

Published 20 hours ago verified publisher icon kubewarden

Handle certificate rotation

Open flavio opened this issue 4 years ago • 2 comments

Right now the controller creates a CA and, with this CA, creates the PEM certificate used by the policy-server.

The Kubernetes API server relies on this CA to verify the identity of the PolicyServer.

We have to:

  • Automatically rotate the certificate used by the policy-server. Right now it expires after 1 year.
  • Automatically renew the CA, this one expires after 10 years (?)

flavio avatar Feb 26 '21 17:02 flavio

Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller

flavio avatar Mar 09 '21 07:03 flavio

I always wonder why every project (like kucero for CaaSP) has to re-implement certificate handling. This should be built into Kubernetes.

kkaempf avatar Mar 09 '21 08:03 kkaempf

Worth a look, something we could leverage: https://github.com/open-policy-agent/cert-controller

We decided not to leverage https://github.com/open-policy-agent/cert-controller since it does not support zero-downtime CA rotation. Also, we will need to fork it to adapt it to our use case, as we configure policy webhooks dynamically. Finally, it does not fully support leader election due to this bug.

fabriziosestito avatar Jul 22 '24 08:07 fabriziosestito