openziti / ziti

The parent project for OpenZiti. Here you will find the executables for a fully zero trust, application embedded, programmable network @OpenZiti
https://openziti.io
Apache License 2.0
2.79k stars 157 forks source link

renew the controller's leaf certs at interval #1994

Open qrkourier opened 6 months ago

qrkourier commented 6 months ago

Presently, the deployments for Linux and Docker renew the controller's leaf certs at startup by default. Clint suggests in this comment that they should also or instead renew the leaf certs at some interval.

If they did renew at an interval, it would be better than requiring a restart of the controller, especially if only one controller existed.

The best way to address this is by discussing how the controller should manage its certificates. That would be better than requiring every deployment to wrap and manage leaf cert renewal.

qrkourier commented 2 months ago

Should the controller take a more active role in managing the leaf certs, including SPIFFE ID, of its default identity (or all identities)?