[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OSE default SSL certs



On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru)
<skotaru cisco com> wrote:
> As part of OSE 3.X installation we have to generate multiple SSL certs for
> clusters objects to communication (master, node, router, registry etc). I
> knew all communication with in OSE using SSL. By default we might be
> generating certs using OSE provided CA cert and key.
>
> Questions
> ========
> What is the validity of these certs?

The main certs will be the Master and Node.  If the defaults are used
I think they will be valid for one year.

Eventually we'll switch the router and registry over to using
serviceaccount tokens.  Everything pods need to securely connect to
the Master can be injected in at pod start.  The router and registry
were created before that infrastructure existed which is why we hacked
around it with environment variables.

> Will OSE automatically monitor and renewal?

Not yet.  Over time more of this type of monitoring will be handled by
OpenShift itself.

> If not, infra teams has to closely monitor and renewal before expiration?
> Can we use any SSL certs instead using OSE default CA authority?

Today the deployment of a custom CA to be used for internal
communication to the master is manual.  We're working to make that
much easier as part of
https://trello.com/c/NsT6f1HL/38-8-atomic-openshift-installer-support-for-redeploying-certificates

> What is the impact if we don’t’ renewal these internal certs?

Depending on how widespread the problem was it could definitely degrade service.

> If customer has multiple clusters in production, don’t you think it is over
> burden to watch and renewal?

We definitely understand the burden for large environments.  Ideally
we'll integrate with various type of PKI.

> Any other useful information for cluster admins or planners?
>
> --
> Srinivas Kotaru
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]