Comments (6)
#14 i think this behavior is introduced with this PR. NotBefore is truncated with duration - renewBefore. I tried to use the default of renewBefore which is 2/3 of Duration but the Validity is still weird:
2019-08-30 00:00:00 +0000 UTC
2039-08-25 00:00:00 +0000 UTC
If i override Rounding and set 1h (Which will never computed). it makes more sense:
2022-06-03 11:00:00 +0200 CEST
2032-05-31 11:00:00 +0200 CEST
i do not exactly understand the behavior of Rounding and why it is set to this calculation. The outcome of this calulation does not make any sense to me
from kms-issuer.
The rational for using time.Truncate was to ensure the ca.pem
is generated across multiple kubernetes clusters but the same kms key (which requires setting NotBefore/NotAfter to the same value). But as you mentioned the very first set of dates are just weird. This isn't great.
I think this could be refactored because it's just confusing. Having different root-ca pem isn't a real issue.
from kms-issuer.
Hey chaudyg,
but at some point the kms Issuer will create a new CA with new value in NotBefore/NotAfter. I did not understand when this will happen. I tested this with a simple go script and modified time.Now() but it is not really clear when i lose my current Issuer when i recreate them.
Does it make sense to build a feature to set notBefore and notAfter to a certain value. With that i would have more control how long my rootCA would last. So if i set spec.NotBefore and spec.NotAfter the kmsIssuer would generate me a RootCa with these validity and if i set this in every cluster to the same value i would get the same RootCA every time.
from kms-issuer.
but at some point the kms Issuer will create a new CA with new value in NotBefore/NotAfter. I did not understand when this will happen.
As you said, this should be renewed by default 2/3rds of the way through the certificate’s duration. So, if your CA is valid for 21 years, a new PEM will be renerated 7 years before expiration.
Does it make sense to build a feature to set notBefore and notAfter to a certain value.
kms-issuer uses the same strategy as cert-manager: the private key is unchanged by the public ca pem is automatically renewed. Hard-coding some dates would force the users to manage those dates manually.
I think there is something not clear, but I am not sure what it is. I am answering your question?
from kms-issuer.
Hello @derbauer97, is there any action you would like us to take or are you happy with the answer from @chaudyg?
from kms-issuer.
Sorry for the late answer. I think i understand now how it works. We stick to the default behavior rather then setting renew by ourself. Now we get a much better Validity. Thanks for your help!
from kms-issuer.
Related Issues (20)
- Docs: contriburting to cert-manager's Istio integration documentation HOT 2
- Support importing existing root CA
- Cluster level KMS Issuer
- Clusterrole cannot approve certificate request from kms-issuer HOT 3
- Support go module versioning
- Missing arm64 docker image
- Missing docker image HOT 2
- Kms-issuer doesn't support editing KMSKey objects
- Error while creating Certificate Authority certificate: "MissingRegion: could not find region configuration" HOT 2
- Adding retries on AWS operations HOT 3
- Docs: examples of least privileged IAM policies for key generation and signing HOT 1
- Add e2e testing HOT 1
- Add a kustomize release action
- Add E2E key deletetion test
- Add support for ComponentConfig
- Simplify giithub-actions workflows
- Add support for kubebuilder Multi-Version and Multi-Group API
- KMSKey doesn't validate the configuration on creating which leads to errors when trying to delete it HOT 2
- Verbose issue on Public Key failure
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kms-issuer.