[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OSE default SSL certs



On Fri, Feb 5, 2016 at 4:05 PM, Srinivas Naga Kotaru (skotaru)
<skotaru cisco com> wrote:
> Brenton
>
> That is good info. Just checked all the certs validity
>
> Master and nodes certs are valid for 1 year. And other certs ( master.proxy-client, master.kubelet-client.crt, openshift-router.crt, openshift-registry.crt) are valid for 2 years
>
> I didn’t find any documentation on how to renewal default certs post deployment. Can you point me to right source?

Part of the upgrade process from earlier versions of Origin and OSE
involved regenerating the certificates.  That process is described
here:

https://docs.openshift.com/enterprise/3.1/install_config/upgrades.html#updating-master-and-node-certificates

While that process involves using oadm some admins may prefer to use
openssl directly.  In that case I would probably use 'openssl x509
-x509toreq' to create a certificate request from the preexisting
certificates.  Then I would sign the CSRs with the CA of my choosing.
The Master would still need to have a copy of that CA or at least a
subordinate CA.

>
>
> --
> Srinivas Kotaru
>
>
>
>
>
>
> On 2/5/16, 12:41 PM, "Brenton Leanhardt" <bleanhar redhat com> wrote:
>
>>On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru)
>><skotaru cisco com> wrote:
>>> As part of OSE 3.X installation we have to generate multiple SSL certs for
>>> clusters objects to communication (master, node, router, registry etc). I
>>> knew all communication with in OSE using SSL. By default we might be
>>> generating certs using OSE provided CA cert and key.
>>>
>>> Questions
>>> ========
>>> What is the validity of these certs?
>>
>>The main certs will be the Master and Node.  If the defaults are used
>>I think they will be valid for one year.
>>
>>Eventually we'll switch the router and registry over to using
>>serviceaccount tokens.  Everything pods need to securely connect to
>>the Master can be injected in at pod start.  The router and registry
>>were created before that infrastructure existed which is why we hacked
>>around it with environment variables.
>>
>>> Will OSE automatically monitor and renewal?
>>
>>Not yet.  Over time more of this type of monitoring will be handled by
>>OpenShift itself.
>>
>>> If not, infra teams has to closely monitor and renewal before expiration?
>>> Can we use any SSL certs instead using OSE default CA authority?
>>
>>Today the deployment of a custom CA to be used for internal
>>communication to the master is manual.  We're working to make that
>>much easier as part of
>>https://trello.com/c/NsT6f1HL/38-8-atomic-openshift-installer-support-for-redeploying-certificates
>>
>>> What is the impact if we don’t’ renewal these internal certs?
>>
>>Depending on how widespread the problem was it could definitely degrade service.
>>
>>> If customer has multiple clusters in production, don’t you think it is over
>>> burden to watch and renewal?
>>
>>We definitely understand the burden for large environments.  Ideally
>>we'll integrate with various type of PKI.
>>
>>> Any other useful information for cluster admins or planners?
>>>
>>> --
>>> Srinivas Kotaru
>>>
>>> _______________________________________________
>>> users mailing list
>>> users lists openshift redhat com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]