search

amimof / kubernetes-the-right-way

Install Kubernetes with Ansible
MIT License
28 stars 7 forks source link

Configurable expire dates on certificates #57

Closed anton-johansson closed 4 years ago

anton-johansson commented 5 years ago

Currently all certificates expire 5 years after creation.

Do we want to utilize a parameter for this value? Also, maybe a separate parameter specifically for the common authority certificates for kube-apiserver and etcd, maybe also with a bit longer default?

Maybe also have another parameter for forcing recreation of common authorities, regenerate_ca_certificates=True (in additionl to regenerate_certificates).

When the time comes to renew certificates (common authorities specifically) it would be nice with a zero-downtime routine. I'll see if I can try to test this routine (as soon as I have time). If it only means downtime for state updates (such as Ingress controller config and node updates and similar), I think it's OK. As long as traffic are still routed properly to the containers.

amimof commented 4 years ago

PR #63 fixes this. It adds the certificate_expiry variable but regenerate_certificates variable is unchanged for now.