-
Notifications
You must be signed in to change notification settings - Fork 474
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Short Rotation Period For Certificates
- Loading branch information
Showing
1 changed file
with
126 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| --- | ||
| title: certificate-short-rotation | ||
| authors: | ||
| - vrutkovs | ||
| reviewers: | ||
| - deads2k | ||
| approvers: | ||
| - deads2k | ||
| api-approvers: | ||
| - deads2k | ||
| creation-date: 2024-08-24 | ||
| last-updated: 2024-08-24 | ||
| tracking-link: | ||
| - https://issues.redhat.com/browse/API-1688 | ||
| --- | ||
|
|
||
| # Short Rotation Period For Certificates | ||
|
|
||
| ## Summary | ||
|
|
||
| Add new feature gate in DevPreview set so that components would issue certificates with shorter | ||
| duration - hours instead of days. | ||
|
|
||
| ## Motivation | ||
|
|
||
| Currently certificates are issued by Openshift with various validity durations, but at least its 15 | ||
| days. This makes testing certificate rotation in CI complicated - we have to emulate passing time | ||
| using time skewing. This methods shows how cluster recovers after certificates have expired, but | ||
| it doesn't help us with testing happy path when certificates rotate during standard cluster lifecycle. | ||
|
|
||
| Some components (i.e. cluster-kube-apiserver-operator) issue certificate with shorter lifetime in | ||
| development branch. This requires us to revert this change every time we branch for new release. | ||
| This also doesn't help us in CI, as it needs a similar change in the installer. | ||
| Also, most components are not using this, so we end up with some certificates valid for hours but | ||
| most would be valid for days. | ||
|
|
||
| Since the change to revert this setting requires manual pull request, there is chance that this | ||
| setting will leak into supported releases. | ||
|
|
||
| This enhancement describes a new feature gate, which would enable this feature for all components | ||
| and ensure that stable releases don't have it accidentally enabled as it uses FeatureGates. | ||
|
|
||
| ### User Stories | ||
|
|
||
| > As an Openshift developer, I want to have a setting for component to issue shorter living | ||
| > certificates so that I could verify that certificate rotation doesn't cause issues | ||
| ### Goals | ||
|
|
||
| * Create a new FeatureGate in DevPreview featureset | ||
| * Update components owning certificates to check this featuregate and issue shorter certificates | ||
| * Create e2e tests enabling this featuregate and checking that certificate rotate correctly | ||
|
|
||
| ### Non-Goals | ||
|
|
||
| * Change validity duration for existing certificates | ||
|
|
||
| ## Proposal | ||
|
|
||
| Update components to read enabled FeatureGates and update certificate issuing code | ||
|
|
||
| ### Workflow Description | ||
|
|
||
| N/A | ||
|
|
||
| ### API Extensions | ||
|
|
||
| N/A | ||
|
|
||
| ### Topology Considerations | ||
|
|
||
| #### Hypershift / Hosted Control Planes | ||
|
|
||
| N/A | ||
|
|
||
| #### Standalone Clusters | ||
|
|
||
| N/A | ||
|
|
||
| #### Single-node Deployments or MicroShift | ||
|
|
||
| Not applicable to MicroShift - it doesn't issue certificates via operators | ||
|
|
||
| ### Implementation Details/Notes/Constraints | ||
|
|
||
|
|
||
| ### Risks and Mitigations | ||
|
|
||
|
|
||
| ### Drawbacks | ||
|
|
||
|
|
||
| ## Open Questions [optional] | ||
|
|
||
|
|
||
| ## Test Plan | ||
|
|
||
| End to end testing this feature would: | ||
| * enable ShortCertificateRotation featuregate | ||
| * observe the cluster for 8 hours | ||
| * run minimal testsuite to ensure that main cluster functions are not affected | ||
|
|
||
| ## Graduation Criteria | ||
|
|
||
| This featuregate is not meant to be graduated - its intended to be developer-only setting | ||
|
|
||
| ### Removing a deprecated feature | ||
|
|
||
|
|
||
| ## Upgrade / Downgrade Strategy | ||
|
|
||
| Setting DevPreview is permanent - there is no way to upgrade or downgrade the cluster. | ||
|
|
||
| ## Version Skew Strategy | ||
|
|
||
| N/A | ||
|
|
||
| ## Operational Aspects of API Extensions | ||
|
|
||
| N/A | ||
|
|
||
| ## Support Procedures | ||
|
|
||
| This setting is unsupported | ||
|
|
||
| ## Alternatives |