[tls] update CA/cert default duration

* CAs to be valid for 10 years * libvirt certs valid for 5 years * all other certs valid for 15months. Default renewBefore is 90days With 15monts the certs start to get rotated after one year.
stuggi · Apr 26, 2024 · e342f44 · e342f44
1 parent ab4f6ff
commit e342f44
Show file tree

Hide file tree

Showing 7 changed files with 61 additions and 41 deletions.
diff --git a/apis/bases/core.openstack.org_openstackcontrolplanes.yaml b/apis/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -17103,27 +17103,27 @@ spec:
                 default:
                   ingress:
                     ca:
-                      duration: 43800h
+                      duration: 87600h
                     cert:
-                      duration: 8760h
+                      duration: 10950h
                     enabled: true
                   podLevel:
                     enabled: true
                     internal:
                       ca:
-                        duration: 43800h
+                        duration: 87600h
                       cert:
-                        duration: 8760h
+                        duration: 10950h
                     libvirt:
                       ca:
-                        duration: 43800h
+                        duration: 87600h
                       cert:
-                        duration: 17520h
+                        duration: 43800h
                     ovn:
                       ca:
-                        duration: 43800h
+                        duration: 87600h
                       cert:
-                        duration: 8760h
+                        duration: 10950h
                 properties:
                   caBundleSecretName:
                     type: string

diff --git a/apis/core/v1beta1/openstackcontrolplane_types.go b/apis/core/v1beta1/openstackcontrolplane_types.go
@@ -80,7 +80,7 @@ type OpenStackControlPlaneSpec struct {
 
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
-	// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "43800h"}, cert: {duration: "8760h"}}, podLevel: {enabled: true, internal:{ca: {duration: "43800h"}, cert: {duration: "8760h"}}, libvirt: {ca: {duration: "43800h"}, cert: {duration: "17520h"}}, ovn: {ca: {duration: "43800h"}, cert: {duration: "8760h"}}}}
+	// +kubebuilder:default={ingress: {enabled: true, ca: {duration: "87600h"}, cert: {duration: "10950h"}}, podLevel: {enabled: true, internal:{ca: {duration: "87600h"}, cert: {duration: "10950h"}}, libvirt: {ca: {duration: "87600h"}, cert: {duration: "43800h"}}, ovn: {ca: {duration: "87600h"}, cert: {duration: "10950h"}}}}
 	// TLS - Parameters related to the TLS
 	TLS TLSSection `json:"tls"`
 

diff --git a/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml b/config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml
@@ -17103,27 +17103,27 @@ spec:
                 default:
                   ingress:
                     ca:
-                      duration: 43800h
+                      duration: 87600h
                     cert:
-                      duration: 8760h
+                      duration: 10950h
                     enabled: true
                   podLevel:
                     enabled: true
                     internal:
                       ca:
-                        duration: 43800h
+                        duration: 87600h
                       cert:
-                        duration: 8760h
+                        duration: 10950h
                     libvirt:
                       ca:
-                        duration: 43800h
+                        duration: 87600h
                       cert:
-                        duration: 17520h
+                        duration: 43800h
                     ovn:
                       ca:
-                        duration: 43800h
+                        duration: 87600h
                       cert:
-                        duration: 8760h
+                        duration: 10950h
                 properties:
                   caBundleSecretName:
                     type: string

diff --git a/tests/kuttl/common/assert-sample-deployment.yaml b/tests/kuttl/common/assert-sample-deployment.yaml
@@ -174,22 +174,27 @@ spec:
   tls:
     ingress:
       ca:
-        duration: 43800h0m0s
+        duration: 87600h0m0s
       cert:
-        duration: 8760h0m0s
+        duration: 10950h0m0s
       enabled: true
     podLevel:
       enabled: true
       internal:
         ca:
-          duration: 43800h0m0s
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
-      ovn:
+          duration: 10950h0m0s
+      libvirt:
         ca:
+          duration: 87600h0m0s
+        cert:
           duration: 43800h0m0s
+      ovn:
+        ca:
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
+          duration: 10950h0m0s
 status:
   conditions:
   - message: Setup complete

diff --git a/tests/kuttl/tests/collapsed/01-assert-collapsed-cell.yaml b/tests/kuttl/tests/collapsed/01-assert-collapsed-cell.yaml
@@ -127,22 +127,27 @@ spec:
   tls:
     ingress:
       ca:
-        duration: 43800h0m0s
+        duration: 87600h0m0s
       cert:
-        duration: 8760h0m0s
+        duration: 10950h0m0s
       enabled: true
     podLevel:
       enabled: true
       internal:
         ca:
-          duration: 43800h0m0s
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
-      ovn:
+          duration: 10950h0m0s
+      libvirt:
         ca:
+          duration: 87600h0m0s
+        cert:
           duration: 43800h0m0s
+      ovn:
+        ca:
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
+          duration: 10950h0m0s
 status:
   conditions:
   - message: Setup complete

diff --git a/tests/kuttl/tests/galera-3replicas/01-assert-galera-3replicas.yaml b/tests/kuttl/tests/galera-3replicas/01-assert-galera-3replicas.yaml
@@ -130,22 +130,27 @@ spec:
   tls:
     ingress:
       ca:
-        duration: 43800h0m0s
+        duration: 87600h0m0s
       cert:
-        duration: 8760h0m0s
+        duration: 10950h0m0s
       enabled: true
     podLevel:
       enabled: true
       internal:
         ca:
-          duration: 43800h0m0s
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
-      ovn:
+          duration: 10950h0m0s
+      libvirt:
         ca:
+          duration: 87600h0m0s
+        cert:
           duration: 43800h0m0s
+      ovn:
+        ca:
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
+          duration: 10950h0m0s
 status:
   conditions:
   - message: Setup complete

diff --git a/tests/kuttl/tests/galera-basic/01-assert-galera.yaml b/tests/kuttl/tests/galera-basic/01-assert-galera.yaml
@@ -149,22 +149,27 @@ spec:
   tls:
     ingress:
       ca:
-        duration: 43800h0m0s
+        duration: 87600h0m0s
       cert:
-        duration: 8760h0m0s
+        duration: 10950h0m0s
       enabled: true
     podLevel:
       enabled: true
       internal:
         ca:
-          duration: 43800h0m0s
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
-      ovn:
+          duration: 10950h0m0s
+      libvirt:
         ca:
+          duration: 87600h0m0s
+        cert:
           duration: 43800h0m0s
+      ovn:
+        ca:
+          duration: 87600h0m0s
         cert:
-          duration: 8760h0m0s
+          duration: 10950h0m0s
 status:
   conditions:
   - message: Setup complete