penghuazhou
commented
1 month ago @amartinezfayo , I can commit a pr.
Open penghuazhou opened 1 month ago
penghuazhou
commented
1 month ago @amartinezfayo , I can commit a pr.
amartinezfayo
commented
1 month ago Thank you @penghuazhou for opening the issue and volunteering to work on this. We already had a similar conversation about SVID rotation threshold on agents (#4115), that resulted in the availability_target configurable in agents. We will need to have something similar here. We will be discussing this within the maintainers group so we can figure out the exact shape that would take this in order to influence this activation threshold cap. I'll comment back here with the details.
penghuazhou
commented
1 month ago thanks
amartinezfayo
commented
3 weeks ago We discussed this in the last maintainers sync, and we think that in order to provide users flexibility on the way that CA rotation happens, they should be able to influence/configure three variables:
@azdagron I know you also wanted to comment here. Am I missing something?
Spire can support config activationThresholdCap?
Now it hardcode 7 24 time.Hour,i want to modify it to 14 24 time.Hour. As some case, we want svid do not rotate so quickly.
https://github.com/spiffe/spire/blob/main/pkg/server/ca/manager/manager.go
scene: I want workload svid have more than 3 day lifetime. But use nested SPIRE architecture, it do not support. The intermediate CA certificate can not set more than 7 days lifetime. Ca certificates are rotated ttl/6 (maximum 7 days) before expiration. So, intermediate validity time may be 7/6 day. Wordload lifetime will be rotate in about half a day.