From b6fc4a1eb3bdf9a13a54c413e51a4f9ed39a1bc7 Mon Sep 17 00:00:00 2001 From: Vadim Rutkovsky Date: Wed, 28 Aug 2024 16:29:47 +0200 Subject: [PATCH] Add Short Rotation Period For Certificates --- enhancements/certificate-short-rotation.md | 126 +++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 enhancements/certificate-short-rotation.md diff --git a/enhancements/certificate-short-rotation.md b/enhancements/certificate-short-rotation.md new file mode 100644 index 00000000000..b04f273e58a --- /dev/null +++ b/enhancements/certificate-short-rotation.md @@ -0,0 +1,126 @@ +--- +title: certificate-short-rotation +authors: + - vrutkovs +reviewers: + - deads2k +approvers: + - deads2k +api-approvers: + - deads2k +creation-date: 2024-08-24 +last-updated: 2024-08-24 +tracking-link: + - https://issues.redhat.com/browse/API-1688 +--- + +# Short Rotation Period For Certificates + +## Summary + +Add new feature gate in DevPreview set so that components would issue certificates with shorter +duration - hours instead of days. + +## Motivation + +Currently certificates are issued by Openshift with various validity durations, but at least its 15 +days. This makes testing certificate rotation in CI complicated - we have to emulate passing time +using time skewing. This methods shows how cluster recovers after certificates have expired, but +it doesn't help us with testing happy path when certificates rotate during standard cluster lifecycle. + +Some components (i.e. cluster-kube-apiserver-operator) issue certificate with shorter lifetime in +development branch. This requires us to revert this change every time we branch for new release. +This also doesn't help us in CI, as it needs a similar change in the installer. +Also, most components are not using this, so we end up with some certificates valid for hours but +most would be valid for days. + +Since the change to revert this setting requires manual pull request, there is chance that this +setting will leak into supported releases. + +This enhancement describes a new feature gate, which would enable this feature for all components +and ensure that stable releases don't have it accidentally enabled as it uses FeatureGates. + +### User Stories + +> As an Openshift developer, I want to have a setting for component to issue shorter living +> certificates so that I could verify that certificate rotation doesn't cause issues + +### Goals + +* Create a new FeatureGate in DevPreview featureset +* Update components owning certificates to check this featuregate and issue shorter certificates +* Create e2e tests enabling this featuregate and checking that certificate rotate correctly + +### Non-Goals + +* Change validity duration for existing certificates + +## Proposal + +Update components to read enabled FeatureGates and update certificate issuing code + +### Workflow Description + +N/A + +### API Extensions + +N/A + +### Topology Considerations + +#### Hypershift / Hosted Control Planes + +N/A + +#### Standalone Clusters + +N/A + +#### Single-node Deployments or MicroShift + +Not applicable to MicroShift - it doesn't issue certificates via operators + +### Implementation Details/Notes/Constraints + + +### Risks and Mitigations + + +### Drawbacks + + +## Open Questions [optional] + + +## Test Plan + +End to end testing this feature would: +* enable ShortCertificateRotation featuregate +* observe the cluster for 8 hours +* run minimal testsuite to ensure that main cluster functions are not affected + +## Graduation Criteria + +This featuregate is not meant to be graduated - its intended to be developer-only setting + +### Removing a deprecated feature + + +## Upgrade / Downgrade Strategy + +Setting DevPreview is permanent - there is no way to upgrade or downgrade the cluster. + +## Version Skew Strategy + +N/A + +## Operational Aspects of API Extensions + +N/A + +## Support Procedures + +This setting is unsupported + +## Alternatives