On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru) <[email protected]> wrote: > As part of OSE 3.X installation we have to generate multiple SSL certs for > clusters objects to communication (master, node, router, registry etc). I > knew all communication with in OSE using SSL. By default we might be > generating certs using OSE provided CA cert and key. > > Questions > ======== > What is the validity of these certs?
The main certs will be the Master and Node. If the defaults are used I think they will be valid for one year. Eventually we'll switch the router and registry over to using serviceaccount tokens. Everything pods need to securely connect to the Master can be injected in at pod start. The router and registry were created before that infrastructure existed which is why we hacked around it with environment variables. > Will OSE automatically monitor and renewal? Not yet. Over time more of this type of monitoring will be handled by OpenShift itself. > If not, infra teams has to closely monitor and renewal before expiration? > Can we use any SSL certs instead using OSE default CA authority? Today the deployment of a custom CA to be used for internal communication to the master is manual. We're working to make that much easier as part of https://trello.com/c/NsT6f1HL/38-8-atomic-openshift-installer-support-for-redeploying-certificates > What is the impact if we don’t’ renewal these internal certs? Depending on how widespread the problem was it could definitely degrade service. > If customer has multiple clusters in production, don’t you think it is over > burden to watch and renewal? We definitely understand the burden for large environments. Ideally we'll integrate with various type of PKI. > Any other useful information for cluster admins or planners? > > -- > Srinivas Kotaru > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
