Currently all certificates expire 5 years after creation.
Do we want to utilize a parameter for this value? Also, maybe a separate parameter specifically for the common authority certificates for kube-apiserver and etcd, maybe also with a bit longer default?
Maybe also have another parameter for forcing recreation of common authorities, regenerate_ca_certificates=True (in additionl to regenerate_certificates).
When the time comes to renew certificates (common authorities specifically) it would be nice with a zero-downtime routine. I'll see if I can try to test this routine (as soon as I have time). If it only means downtime for state updates (such as Ingress controller config and node updates and similar), I think it's OK. As long as traffic are still routed properly to the containers.
Currently all certificates expire 5 years after creation.
Do we want to utilize a parameter for this value? Also, maybe a separate parameter specifically for the common authority certificates for
kube-apiserver
andetcd
, maybe also with a bit longer default?Maybe also have another parameter for forcing recreation of common authorities,
regenerate_ca_certificates=True
(in additionl toregenerate_certificates
).When the time comes to renew certificates (common authorities specifically) it would be nice with a zero-downtime routine. I'll see if I can try to test this routine (as soon as I have time). If it only means downtime for state updates (such as Ingress controller config and node updates and similar), I think it's OK. As long as traffic are still routed properly to the containers.