search

GoogleCloudPlatform / flink-on-k8s-operator

[DEPRECATED] Kubernetes operator for managing the lifecycle of Apache Flink and Beam applications.
Apache License 2.0
658 stars 266 forks source link

make the webhook expire days longer #374

Closed kinderyj closed 3 years ago

kinderyj commented 3 years ago

Fix the issue 356

We should make the expire days longer, the default expires days is 30, we change it to 3650.

Ayush-Singhal28 commented 3 years ago

@kinderyj Could you please confirm this solution working on Kubernetes. Reason being same solution I was using but when I describe crt. It is still 30days. In order to check kubectl get secret webhook-server-cert -n flink-operator-system -o yaml Copy the tls.crt content and decode it echo "---crt----" | base64 -d > webhook.crt When you open this webhook,crt file. You will see expiry still 30days. Though your command is correct

kinderyj commented 3 years ago

@kinderyj Could you please confirm this solution working on Kubernetes. Reason being same solution I was using but when I describe crt. It is still 30days. In order to check kubectl get secret webhook-server-cert -n flink-operator-system -o yaml Copy the tls.crt content and decode it echo "---crt----" | base64 -d > webhook.crt When you open this webhook,crt file. You will see expiry still 30days. Though your command is correct

My test steps:

  1. In Nov 18, changed the args -days to 1 and installed the flink-operator by helm chart. openssl x509 -days 1 -req -CA ca.crt -CAkey ca.key -CAcreateserial -out ${tmpdir}/server-cert.pem

  2. kubectl get secret webhook-server-cert -n flink-operator-system -o yaml

  3. Copy the tls.crt content and base64 to a new file, such as webhook.crt echo "tls.crt content......" | base64 -d > webhook.crt

  4. decode: openssl x509 -noout -text -in webhook.crt

The result is as below

You can see the Not Before is Nov 18 and Not After is Nov 19, only 1 day, it seems work.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
           xxxxx
    Signature Algorithm: xxxxxx
        Issuer: CN=Admission Controller Webhook CA
        Validity
            Not Before: Nov 18 08:41:18 2020 GMT
            Not After : Nov 19 08:41:18 2020 GMT
        Subject: CN=flink-operator-webhook-service.flink-operator-system.svc
        ......

  1. In Nov 19, I tried to create flink operator and reproduced the issue 355.

  2. Changed the args -days to 3650 and repeat the steps above, the Validity is as below, it's 10 years.

    Certificate:
Data:
    Version: 1 (0x0)
    Serial Number:
       xxxxx
Signature Algorithm: xxx
    Issuer: CN=Admission Controller Webhook CA
    Validity
        Not Before: Nov 24 14:20:29 2020 GMT
        Not After : Nov 22 14:20:29 2030 GMT
  ........
functicons commented 3 years ago

/gcbrun