[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OSE default SSL certs



Brenton 

That is good info. Just checked all the certs validity

Master and nodes certs are valid for 1 year. And other certs ( master.proxy-client, master.kubelet-client.crt, openshift-router.crt, openshift-registry.crt) are valid for 2 years

I didn’t find any documentation on how to renewal default certs post deployment. Can you point me to right source? 


-- 
Srinivas Kotaru






On 2/5/16, 12:41 PM, "Brenton Leanhardt" <bleanhar redhat com> wrote:

>On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru)
><skotaru cisco com> wrote:
>> As part of OSE 3.X installation we have to generate multiple SSL certs for
>> clusters objects to communication (master, node, router, registry etc). I
>> knew all communication with in OSE using SSL. By default we might be
>> generating certs using OSE provided CA cert and key.
>>
>> Questions
>> ========
>> What is the validity of these certs?
>
>The main certs will be the Master and Node.  If the defaults are used
>I think they will be valid for one year.
>
>Eventually we'll switch the router and registry over to using
>serviceaccount tokens.  Everything pods need to securely connect to
>the Master can be injected in at pod start.  The router and registry
>were created before that infrastructure existed which is why we hacked
>around it with environment variables.
>
>> Will OSE automatically monitor and renewal?
>
>Not yet.  Over time more of this type of monitoring will be handled by
>OpenShift itself.
>
>> If not, infra teams has to closely monitor and renewal before expiration?
>> Can we use any SSL certs instead using OSE default CA authority?
>
>Today the deployment of a custom CA to be used for internal
>communication to the master is manual.  We're working to make that
>much easier as part of
>https://trello.com/c/NsT6f1HL/38-8-atomic-openshift-installer-support-for-redeploying-certificates
>
>> What is the impact if we don’t’ renewal these internal certs?
>
>Depending on how widespread the problem was it could definitely degrade service.
>
>> If customer has multiple clusters in production, don’t you think it is over
>> burden to watch and renewal?
>
>We definitely understand the burden for large environments.  Ideally
>we'll integrate with various type of PKI.
>
>> Any other useful information for cluster admins or planners?
>>
>> --
>> Srinivas Kotaru
>>
>> _______________________________________________
>> users mailing list
>> users lists openshift redhat com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]