Skip to content
This repository has been archived by the owner on Jul 11, 2023. It is now read-only.

Automated Root Certificate rotation in OSM #4502

Closed
16 of 30 tasks
snehachhabria opened this issue Feb 2, 2022 · 4 comments
Closed
16 of 30 tasks

Automated Root Certificate rotation in OSM #4502

snehachhabria opened this issue Feb 2, 2022 · 4 comments
Assignees
@jaellio
Labels
area/certificate-management Certificate management kind/feature-request Feature request priority/P0 P0 priority size/XXL 40 days (2 months)
Milestone
vFuture

Comments

@snehachhabria
Copy link
Contributor

snehachhabria commented Feb 2, 2022
edited by jaellio

#Please describe the Improvement and/or Feature Request
As of today OSM's root certificate once created cannot be automatically rotated. This issue will track the root certificate rotation feature in OSM.

The tasks include:

Scope (please mark with X where applicable)

  • New Functionality [X]
@snehachhabria snehachhabria added area/certificate-management Certificate management kind/feature-request Feature request priority/P0 P0 priority labels Feb 2, 2022
@jaellio jaellio self-assigned this Feb 4, 2022
@trstringer trstringer added this to the vFuture milestone Feb 24, 2022
@jaellio
Copy link
Contributor

jaellio commented Mar 11, 2022

Proposal doc

@trstringer trstringer modified the milestones: vFuture, Midterm Mar 28, 2022
@trstringer trstringer modified the milestones: vFuture, v1.2 Apr 7, 2022
@jaellio
Copy link
Contributor

jaellio commented Apr 12, 2022

Design Doc

@jaellio jaellio mentioned this issue Apr 12, 2022
Merged
@steeling steeling mentioned this issue Apr 18, 2022
Closed
jaellio added a commit to jaellio/osm that referenced this issue Apr 20, 2022
@jaellio
apis: add MeshRootCertificate API types
1d3e18d 
Adds the Go types for the MeshRootCertificate API

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
jaellio added a commit to jaellio/osm that referenced this issue Apr 20, 2022
@jaellio
apis: add MeshRootCertificate API types
536ec2b 
Adds the Go types for the MeshRootCertificate API

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
jaellio added a commit to jaellio/osm that referenced this issue Apr 20, 2022
@jaellio
apis: add MeshRootCertificate API types
e5b66a7 
Adds the Go types for the MeshRootCertificate API

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
jaellio added a commit to jaellio/osm that referenced this issue Apr 20, 2022
@jaellio
apis: add MeshRootCertificate API types
66643c4 
Adds the Go types for the MeshRootCertificate API

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
@jaellio jaellio mentioned this issue Apr 20, 2022
Merged
jaellio added a commit to jaellio/osm that referenced this issue Apr 21, 2022
@jaellio
apis: add MeshRootCertificate API types
093f6a0 
Adds the Go types for the MeshRootCertificate API

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
jaellio added a commit that referenced this issue Apr 22, 2022
@jaellio
ref(injector): load bootstrap SDS configuration from filesystem (#4635)
0163584 
Loads the SDS configuration for the envoy bootstrap config 
from the file system. Previously, the certificates were provided
inline to the Envoy bootstrap configuration which was stored
in k8s Secret volume mounted to the Pod. This change will 
allow OSM to update the certificates used when establishing a
connection with xDS without having to recreate the Pod. This
allows the envoy xDS certificates to be rotated without potential
data plane downtime. 

This change updates the existing envoy bootstrap k8s secret
to include the TLS and validation context SDS configs, xDS 
certificate, key, and ca cert.

This change is a part of the automated root certificate rotation
work (#4502)

Signed-off-by: jaellio <[email protected]>
nojnhuh pushed a commit that referenced this issue Apr 22, 2022
@jaellio
apis: add MeshRootCertificate API types (#4677)
455887d 
* apis: add MeshRootCertificate API types

Adds the Go types for the MeshRootCertificate API

Part of #4502

Signed-off-by: jaellio <[email protected]>

* Use v1alpha2

Signed-off-by: jaellio <[email protected]>

* Update ProviderSpec

Signed-off-by: jaellio <[email protected]>
jaellio added a commit to jaellio/osm that referenced this issue Apr 22, 2022
@jaellio
crds: add MeshRootCertificate CRD
f65ccd6 
Adds the CRD for MeshRootCertificate API.

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
@jaellio jaellio mentioned this issue Apr 22, 2022
Merged
jaellio added a commit to jaellio/osm that referenced this issue Apr 22, 2022
@jaellio
crds: add MeshRootCertificate CRD
8011404 
Adds the CRD for MeshRootCertificate API.

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
jaellio added a commit to jaellio/osm that referenced this issue Apr 28, 2022
@jaellio
ref(cert): update Manager to support mult clients
6c09513 
Supports multiple clients in Manager struct.
Refactoring as a part of the root cert rotation
work. During root cert rotation, there will be
2 CertManagers - the CertManager being rotated in
and the CertManager being rotated out as
specified in the MeshRootCertificates.

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
@jaellio jaellio mentioned this issue Apr 28, 2022
Merged
jaellio added a commit to jaellio/osm that referenced this issue Apr 28, 2022
@jaellio
ref(cert): update Manager to support mult clients
bdb3e5f 
Supports multiple clients in Manager struct.
Refactoring as a part of the root cert rotation
work. During root cert rotation, there will be
2 CertManagers - the CertManager being rotated in
and the CertManager being rotated out as
specified in the MeshRootCertificates.

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>
@jaellio jaellio mentioned this issue May 2, 2022
Closed
This was referenced May 2, 2022
Closed
Closed
keithmattix pushed a commit to keithmattix/osm that referenced this issue May 3, 2022
@jaellio @keithmattix
apis: add MeshRootCertificate API types (openservicemesh#4677)
1ca81b3 
* apis: add MeshRootCertificate API types

Adds the Go types for the MeshRootCertificate API

Part of openservicemesh#4502

Signed-off-by: jaellio <[email protected]>

* Use v1alpha2

Signed-off-by: jaellio <[email protected]>

* Update ProviderSpec

Signed-off-by: jaellio <[email protected]>
@jaellio jaellio mentioned this issue May 4, 2022
Merged
@schristoff schristoff mentioned this issue May 4, 2022
Closed
jaellio added a commit that referenced this issue May 6, 2022
@jaellio
ref(cert): update Manager to support mult clients (#4705)
a8330dc 
Supports multiple clients in Manager struct. Refactoring
as a part of the root cert rotation work. During root cert
rotation, there will be 2 CertManagers - the CertManager
being rotated in and the CertManager being rotated out as
specified in the MeshRootCertificates.

The ca is moved from the Manager to the CertManagers
for each cert provider.

Part of #4502

Signed-off-by: jaellio <[email protected]>
@jaellio jaellio mentioned this issue May 14, 2022
Closed
@jaellio jaellio added the size/XXL 40 days (2 months) label Jun 6, 2022
@trstringer trstringer modified the milestones: v1.2, v1.3 Jul 5, 2022
@jaellio jaellio mentioned this issue Jul 7, 2022
Closed
@keithmattix
Copy link
Contributor

Automatic root certificate rotation is out of scope for our immediate plans; we're going to start with a user-guided rotation and then elicit feedback from users

@keithmattix keithmattix modified the milestones: v1.3, vFuture Sep 7, 2022
@phillipgibson
Copy link
Contributor

The OSM project has been officially archived by the CNCF. There will be no more new development on any repo under the OpenServiceMesh organization.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jaellio jaellio

Labels
area/certificate-management Certificate management kind/feature-request Feature request priority/P0 P0 priority size/XXL 40 days (2 months)
Projects
OSM Roadmap (dev)
Status: Done
OSM Root Certificate Rotation
Status: Done
Milestone
vFuture
Development

No branches or pull requests
5 participants
@trstringer @keithmattix @phillipgibson @snehachhabria @jaellio