Closed nesmabadr closed 5 months ago
After thorough investigation, I've identified three potential solutions for achieving no-downtime certificate rotation, each with its own set of advantages and considerations. Let's delve into each solution:
Step | Step-Name | Gateway Server Cert | Gateway Accepts Clients (CACert on KCP) | Clients Accepts Server (CACert on SKR) | Client Cert | Note |
---|---|---|---|---|---|---|
01 | Initial setup | rootA | rootA | rootA | rootA | "" |
02 | Generate rootB cert in KCP | rootA | rootA | rootA | rootA | "" |
03 | Reconfigure the Gateway in the KCP | rootA | rootA+rootB | rootA | rootA | All clients with the old Certificates signed by rootA still work |
04 | Migrate Clients to Certificates signed by rootB | rootA | rootA+rootB | rootA+rootB | rootB | "" |
05 | After alle Clients are migrated, switch Gate to accept only certs signed by rootB | rootB | rootB | rootB | rootB | "" |
Based on these considerations, I recommend either solution two or three. Solution three offers simplicity in implementation and ensures no downtime by leveraging two Gateways referencing different secrets. However, solution two provides a gradual migration process for clients, which might be advantageous depending on the specific requirements and constraints of the project.
Follow-Up Issue will be created after Team discussion
Description:
As a followup to the this issue, we need to come up with a a no-downtime solution to have the leaf certificates rotated with the CA certificate rotation. The current implementation is here
ACs
Hint https://github.com/cert-manager/cert-manager/issues/2478