osm icon indicating copy to clipboard operation
osm copied to clipboard

Published 20 hours ago verified publisher icon openservicemesh

Automated Root Certificate rotation in OSM

Open snehachhabria opened this issue 3 years ago • 3 comments

#Please describe the Improvement and/or Feature Request As of today OSM's root certificate once created cannot be automatically rotated. This issue will track the root certificate rotation feature in OSM.

The tasks include:

  • [x] Proposal doc (a Google doc linked to this item)
  • [x] Design doc (a Google doc linked to this item)
  • [ ] Phase 1 Implementation
    • [x] Support Envoy xDS certificate rotation
      • #4635
    • [x] Implement MeshRootCertificate API
      • #4687
      • #4677
      • #4736
    • [x] MeshRootCertificate informer client
      • #4721
    • [x] Create or load MeshRootCertificate on install #4712
    • [ ] Update validating and mutating webhook to support the MeshRootCertificate resource
      • [ ] Validating webhook #4723
      • [x] Mutating webhook
    • [x] Refactor Manager and Certificate to support Auto Root Certificate Rotation
      • [x] Update Manager to support multiple clients
        • #4705
      • [x] Issue certificates based on client and certificate settings
        • #4743
      • [x] Refactor IssueCertificate #4810
        • #4800
    • [x] Create Issuer from MeshRootCertificate #4713
      • #4718
      • #4742
      • #4781
      • [x] Implement MRC Watch and List
        • #4816
    • [x] Update TLS configs for OSM webhooks and ADS server to dynmaically select certificate used for establishing mTLS #4819
    • [ ] Implement rotation stages
      • [ ] Update manager struct #4815
      • [x] Update webhooks configurations #4817
      • [x] Update bootstrap secret #4818
    • [ ] CLI Tooling
      • [ ] osm cert CLI cmd
        • osm cert status
        • osm cert rotate
  • [ ] Phase 2 Implementation
    • [ ] Implement detection strategy
    • [ ] Support automatic movement between rotation stages
    • [ ] Support automatic detection of expiring root certificate, creation of new root certificate, and rotation initiation
  • [ ] Unit and e2e tests
    • #4835
  • [ ] Documentation: how-to guide
  • [ ] Documentation: demo

Scope (please mark with X where applicable)

  • New Functionality [X]

snehachhabria avatar Feb 02 '22 23:02 snehachhabria

Proposal doc

jaellio avatar Mar 11 '22 01:03 jaellio

Design Doc

jaellio avatar Apr 12 '22 20:04 jaellio

Automatic root certificate rotation is out of scope for our immediate plans; we're going to start with a user-guided rotation and then elicit feedback from users

keithmattix avatar Sep 07 '22 17:09 keithmattix

The OSM project has been officially archived by the CNCF. There will be no more new development on any repo under the OpenServiceMesh organization.

phillipgibson avatar Jul 11 '23 18:07 phillipgibson