Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce our 7 day TTL on certificates #50

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enforce our 7 day TTL on certificates #50

wants to merge 1 commit into from

Conversation

rcrowe
Copy link
Member

@rcrowe rcrowe commented Oct 30, 2023

Certificates must be issued for 7 days and start renewing 2/3rds of the way through.

@rcrowe rcrowe requested a review from a team as a code owner October 30, 2023 12:20
@rcrowe rcrowe requested a review from ffilippopoulos October 30, 2023 12:20
rcrowe
rcrowe commented Oct 30, 2023
View reviewed changes
bitnami/shared/kyverno/require-default-renewbefore.yaml Outdated
message: "renewBefore must be unset of set to 2/3 of duration, which is required to be 168hrs currently (7 days)"
pattern:
spec:
=(renewBefore): "112"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if you can reference the duration field & calculate 2/3rds dynamically?
For now as duration is a fixed value, this seemed fine.

@rcrowe
Enforce our 7 day TTL on certificates
4bb8046 
Certificates must be issued for 7 days and start renewing 2/3rds of the
way through.
@rcrowe rcrowe force-pushed the enforce-duration-field-for-shared-kafka branch from 7cfa08a to 4bb8046 Compare October 30, 2023 12:23
matthewhughes-uw
matthewhughes-uw reviewed Oct 30, 2023
View reviewed changes
Copy link
Contributor

@matthewhughes-uw matthewhughes-uw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no way to keep this policy closer to the resource it's enforcing upon is there? I'm thinking e.g. if someone in the future changes the name of the issuer these policies will silently be checking nothing but it wouldn't be clear anything changed

bitnami/shared/kyverno/require-default-duration.yaml
operator: Equals
value: kafka-shared-selfsigned-issuer
validate:
message: "Duration must be set to 168h (7 days) as per our recommended best practices"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per our recommended best practices

Where are these best recommendations documented (could we link to that here)?

bitnami/shared/kyverno/require-default-renewbefore.yaml
operator: Equals
value: kafka-shared-selfsigned-issuer
validate:
message: "renewBefore must be unset or set to 2/3 of duration, which is required to be 168hrs currently (7 days)"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might help make it very clear where this value comes from

Suggested change
message: "renewBefore must be unset or set to 2/3 of duration, which is required to be 168hrs currently (7 days)"
# 2/3 of value defined in ./require-default-duration.yaml
message: "renewBefore must be unset or set to 2/3 of duration, which is required to be 168hrs currently (7 days)"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewhughes-uw matthewhughes-uw matthewhughes-uw left review comments

@ffilippopoulos ffilippopoulos Awaiting requested review from ffilippopoulos

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rcrowe @matthewhughes-uw