Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

autocert: Renew when 80% of the time until expiration is elapsed #1332

Merged
merged 1 commit into from
Nov 2, 2022
Merged

autocert: Renew when 80% of the time until expiration is elapsed #1332

merged 1 commit into from
Nov 2, 2022

Conversation

vadmeste
Copy link
Member

Currently, the auto generated MinIO certificate is auto renewed before 48 hours of the expiration date. Since the operator does not set an expiry date, some certicates are short lived, therefore the operator will try to renew the certificate all the time.

The solution is to renew only when 80% of the time until the certificate expiration date has elapsed.

autocert: Renew when 80% of the time until expiration is elapsed
1cdba2f 
Currently, the auto generated MinIO certificate is auto renewed before
48 hours of the expiration date. Since the operator does not set an
expiry date, some certicates are short lived, therefore the operator
will try to renew the certificate all the time.

The solution is to renew only when 80% of the time until the certificate
expiration date has elapsed.
@harshavardhana
Copy link
Member

Currently, the auto generated MinIO certificate is auto renewed before 48 hours of the expiration date. Since the operator does not set an expiry date, some certicates are short lived, therefore the operator will try to renew the certificate all the time.

The solution is to renew only when 80% of the time until the certificate expiration date has elapsed.

We should set the expiration by default to 365 days @vadmeste

@vadmeste
Copy link
Member Author

We should set the expiration by default to 365 days @vadmeste

It requires k8s 1.22 and I am not sure it will work everywhere

@harshavardhana
Copy link
Member

It requires k8s 1.22 and I am not sure it will work everywhere

Can we do that on k8s1.22 and above atleast?

@pjuarezd
Copy link
Member

pjuarezd commented Nov 1, 2022

In Kubernetes, the default is already 1 year, unless explicitly set. otherwise.

The PKCS#10 signing request format does not have a standard mechanism to specify a certificate expiration or lifetime. The expiration or lifetime therefore has to be set through the spec.expirationSeconds field of the CSR object. The built-in signers use the ClusterSigningDuration configuration option, which defaults to 1 year, (the --cluster-signing-duration command-line flag of the kube-controller-manager) as the default when no spec.expirationSeconds is specified. When spec.expirationSeconds is specified, the minimum of spec.expirationSeconds and ClusterSigningDuration is used.

If I am understanding all right, per the Signers and Certificate rotation kubernetes documentation, the Expiration time is decided as follows:

csr ttl drawio

I like the Idea of 80%. Whenever the cluster is set to a low certificate expiration time, is better to rotate based on the consumption of the certificate expiration, rather than a fixed 48 hours.

Regardless, if the default set is to somenthing that low, we are going to keep seeing frequent rotations anyways.

@dvaldivia dvaldivia merged commit f45529d into minio:master Nov 2, 2022
@djwfyi djwfyi mentioned this pull request Mar 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pjuarezd pjuarezd pjuarezd approved these changes

@harshavardhana harshavardhana harshavardhana approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vadmeste @harshavardhana @pjuarezd @dvaldivia