-
Notifications
You must be signed in to change notification settings - Fork 180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IDP should autogenerate certificate and secret #3909
Comments
But auto generating the certificate could also lead to a split-brain situation when we deploy multiple idp services. |
If we only generate once and have shared storage (we need that also for the autogenerated ldap ca for the idm and all ldap-consuming services), then we should be fine. Preferably, distributed systems will not rely on the auto generation. Eg. our oCIS Helm chart will provide external certificates. |
That's true. Ok, let me try to implement something. |
Is your feature request related to a problem? Please describe.
The IDP autogenerates a certificate and secret inmemory to sign sessions. This means a restart yields a new certificate and secret and therefore invalidates all sessions.
Describe the solution you'd like
The IDP should autogenerate and persist the certificate and secret on disk by default.
Describe alternatives you've considered
You can generate a certificate and a secret manually, so that your sessions survive a restart:
Then you need to configure the IDP to use them:
Additional context
Having the certificate on disk can also prevent a split-brain situation, if you deploy oCIS on two servers. If they share the same data volume (eg. NFS share), they just use the same certificate and secret. If the have it in memory they create sessions only valid for themselves, which is fatal in round robin load balanced situations.
The text was updated successfully, but these errors were encountered: