osm icon indicating copy to clipboard operation
osm copied to clipboard

Published 20 hours ago verified publisher icon openservicemesh

Define certKeyBitSize and serviceCertValidityDuration certificate settings in the MeshRootCertificate

Open jaellio opened this issue 3 years ago • 3 comments

Please describe the Improvement and/or Feature Request

Part of #4502 Dependent on #4710

I propose removing the spec.certificate fields from the OSM MeshConfig CRD and specifying the settings in the MeshRootCertificate CRD. This change would combine all OSM certificate settings into a single resource. A new version of the MeshConfig CRD, v1alpha3, would be created.

Changes to the new fields in the MeshRootCertificate resource would not trigger a root certificate rotation or modify the resource's status. OSM would watch for changes to these fields and make updates accordingly.

High-level changes:

  • support conversion between v1alpha2 <-> v1alpha3 versions of the osm MeshConfig
  • update MeshRootCertificate CRD and MRC types
  • watch new MRC fields

Scope (please mark with X where applicable)

  • New Functionality [x]
  • Install [x]
  • Certificate Management [x]

jaellio avatar May 02 '22 23:05 jaellio

we also need to add the Vault Port to the VaultSpec

steeling avatar May 03 '22 21:05 steeling

Should changes to certKeyBitSize and serviceCertValidity duration cause all existing, non-expired certificates to be rotated or should it only be updated for all future certs?

jaellio avatar May 23 '22 23:05 jaellio

Hmm good question!

I was actually surprised to see that we don't use certKeyBitSize for the CA generation for tresor. If we switch that, then that means a certKeyBitSize change for tresor would require a full rotation of the CA.

The other certificate manager's don't face that problem. From a user perspective, if I made those changes, I would expect them to occur sooner than later, but I think it's a subjective answer, and we have some freedom to make a choice here!

steeling avatar May 23 '22 23:05 steeling

This is a nice to have for v1.3 but not a requirement. Removing from v1.3 milestone.

jaellio avatar Aug 24 '22 22:08 jaellio

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.

github-actions[bot] avatar Oct 24 '22 00:10 github-actions[bot]

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.

github-actions[bot] avatar Dec 31 '22 00:12 github-actions[bot]

Issue closed due to inactivity.

github-actions[bot] avatar Jan 07 '23 00:01 github-actions[bot]