[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OSE default SSL certs


That is good info. Just checked all the certs validity

Master and nodes certs are valid for 1 year. And other certs ( master.proxy-client, master.kubelet-client.crt, openshift-router.crt, openshift-registry.crt) are valid for 2 years

I didn’t find any documentation on how to renewal default certs post deployment. Can you point me to right source? 

Srinivas Kotaru

On 2/5/16, 12:41 PM, "Brenton Leanhardt" <bleanhar redhat com> wrote:

>On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru)
><skotaru cisco com> wrote:
>> As part of OSE 3.X installation we have to generate multiple SSL certs for
>> clusters objects to communication (master, node, router, registry etc). I
>> knew all communication with in OSE using SSL. By default we might be
>> generating certs using OSE provided CA cert and key.
>> Questions
>> ========
>> What is the validity of these certs?
>The main certs will be the Master and Node.  If the defaults are used
>I think they will be valid for one year.
>Eventually we'll switch the router and registry over to using
>serviceaccount tokens.  Everything pods need to securely connect to
>the Master can be injected in at pod start.  The router and registry
>were created before that infrastructure existed which is why we hacked
>around it with environment variables.
>> Will OSE automatically monitor and renewal?
>Not yet.  Over time more of this type of monitoring will be handled by
>OpenShift itself.
>> If not, infra teams has to closely monitor and renewal before expiration?
>> Can we use any SSL certs instead using OSE default CA authority?
>Today the deployment of a custom CA to be used for internal
>communication to the master is manual.  We're working to make that
>much easier as part of
>> What is the impact if we don’t’ renewal these internal certs?
>Depending on how widespread the problem was it could definitely degrade service.
>> If customer has multiple clusters in production, don’t you think it is over
>> burden to watch and renewal?
>We definitely understand the burden for large environments.  Ideally
>we'll integrate with various type of PKI.
>> Any other useful information for cluster admins or planners?
>> --
>> Srinivas Kotaru
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]