Comments (6)
derbauer97
commented on June 15, 2024
#14 i think this behavior is introduced with this PR. NotBefore is truncated with duration - renewBefore. I tried to use the default of renewBefore which is 2/3 of Duration but the Validity is still weird:
2019-08-30 00:00:00 +0000 UTC
2039-08-25 00:00:00 +0000 UTC
If i override Rounding and set 1h (Which will never computed). it makes more sense:
2022-06-03 11:00:00 +0200 CEST
2032-05-31 11:00:00 +0200 CEST
i do not exactly understand the behavior of Rounding and why it is set to this calculation. The outcome of this calulation does not make any sense to me
from kms-issuer.
chaudyg
commented on June 15, 2024
The rational for using time.Truncate was to ensure the ca.pem is generated across multiple kubernetes clusters but the same kms key (which requires setting NotBefore/NotAfter to the same value). But as you mentioned the very first set of dates are just weird. This isn't great.
I think this could be refactored because it's just confusing. Having different root-ca pem isn't a real issue.
from kms-issuer.
derbauer97
commented on June 15, 2024
Hey chaudyg,
but at some point the kms Issuer will create a new CA with new value in NotBefore/NotAfter. I did not understand when this will happen. I tested this with a simple go script and modified time.Now() but it is not really clear when i lose my current Issuer when i recreate them.
Does it make sense to build a feature to set notBefore and notAfter to a certain value. With that i would have more control how long my rootCA would last. So if i set spec.NotBefore and spec.NotAfter the kmsIssuer would generate me a RootCa with these validity and if i set this in every cluster to the same value i would get the same RootCA every time.
from kms-issuer.
chaudyg
commented on June 15, 2024
but at some point the kms Issuer will create a new CA with new value in NotBefore/NotAfter. I did not understand when this will happen.
As you said, this should be renewed by default 2/3rds of the way through the certificate’s duration. So, if your CA is valid for 21 years, a new PEM will be renerated 7 years before expiration.
Does it make sense to build a feature to set notBefore and notAfter to a certain value.
kms-issuer uses the same strategy as cert-manager: the private key is unchanged by the public ca pem is automatically renewed. Hard-coding some dates would force the users to manage those dates manually.
I think there is something not clear, but I am not sure what it is. I am answering your question?
from kms-issuer.
maruina
commented on June 15, 2024
Hello @derbauer97, is there any action you would like us to take or are you happy with the answer from @chaudyg?
from kms-issuer.
derbauer97
commented on June 15, 2024
Sorry for the late answer. I think i understand now how it works. We stick to the default behavior rather then setting renew by ourself. Now we get a much better Validity. Thanks for your help!
from kms-issuer.
Related Issues (20)
- Docs: contriburting to cert-manager's Istio integration documentation HOT 2
- Support importing existing root CA
- Cluster level KMS Issuer
- Clusterrole cannot approve certificate request from kms-issuer HOT 3
- Support go module versioning
- Missing arm64 docker image
- Missing docker image HOT 2
- Kms-issuer doesn't support editing KMSKey objects
- Error while creating Certificate Authority certificate: "MissingRegion: could not find region configuration" HOT 2
- Adding retries on AWS operations HOT 3
- Docs: examples of least privileged IAM policies for key generation and signing HOT 1
- Add e2e testing HOT 1
- Add a kustomize release action
- Add E2E key deletetion test
- Add support for ComponentConfig
- Simplify giithub-actions workflows
- Add support for kubebuilder Multi-Version and Multi-Group API
- KMSKey doesn't validate the configuration on creating which leads to errors when trying to delete it HOT 2
- Verbose issue on Public Key failure
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kms-issuer.