search

kubewarden / kubewarden-controller

Manage admission policies in your Kubernetes cluster with ease
https://kubewarden.io
Apache License 2.0
191 stars 33 forks source link

Policy server certificate renewal #545

Closed fabriziosestito closed 3 months ago

fabriziosestito commented 1 year ago

From time to time we need to renew the certificate issued to a Policy Server instance. The main reason to perform this operation is to ensure the Policy Server is not using an expired certificate.

To renew a Policy Server certificate the following actions have to be done:

Note: there's no need to touch the webhook configuration objects related to the policies hosted by the Policy Server. The new certificate is still signed by the same CA, hence nothing has to be changed.

Related to: https://github.com/kubewarden/rfc/blob/main/rfc/0018-certificate-handling.md#policy-server-certificate-renewed

Reconcilation loop

Reconciliation loops are triggered whenever an event dealing with a watched resource happens. In this case it could be the create/update/delete of a PolicyServer. The reconciliation loop is also triggered every 10 hours by SyncPeriod as a way to cope with possible glitcheswith the event notification system.

At the beginning of the reconciliation loop, the code should check the expiration date of the certificate used by the Policy Server. If the certificate is about to expire a new one should be created. Check the previous section to see which actions have to be done in this circumstance.

The loop should also monitor changes done to the secret that holds the internal CA. The reconciliation loop should then make sure that the Policy Server certificate has been signed by our CA. If not, a new certificate should be issued (like during a renewal).

Note: checking if the Policy Server certificate has been issued by our CA might be computationally intense. We have to ensure this is not going to cause a CPU spike. We could resort to do something clever using the revision number of the Secret that holds the CA.

SyncPeriod or RequeueAfter

We'd rather be explicit by adding a configuration value and triggering the reconciliation loop via a RequeueAfter.

Refer to this discussion: https://github.com/kubewarden/rfc/pull/24/files#r1333119954

fabriziosestito commented 3 months ago

Superseded by #819 #820