Brenton That is good info. Just checked all the certs validity
Master and nodes certs are valid for 1 year. And other certs ( master.proxy-client, master.kubelet-client.crt, openshift-router.crt, openshift-registry.crt) are valid for 2 years I didn’t find any documentation on how to renewal default certs post deployment. Can you point me to right source? -- Srinivas Kotaru On 2/5/16, 12:41 PM, "Brenton Leanhardt" <[email protected]> wrote: >On Thu, Feb 4, 2016 at 1:54 PM, Srinivas Naga Kotaru (skotaru) ><[email protected]> wrote: >> As part of OSE 3.X installation we have to generate multiple SSL certs for >> clusters objects to communication (master, node, router, registry etc). I >> knew all communication with in OSE using SSL. By default we might be >> generating certs using OSE provided CA cert and key. >> >> Questions >> ======== >> What is the validity of these certs? > >The main certs will be the Master and Node. If the defaults are used >I think they will be valid for one year. > >Eventually we'll switch the router and registry over to using >serviceaccount tokens. Everything pods need to securely connect to >the Master can be injected in at pod start. The router and registry >were created before that infrastructure existed which is why we hacked >around it with environment variables. > >> Will OSE automatically monitor and renewal? > >Not yet. Over time more of this type of monitoring will be handled by >OpenShift itself. > >> If not, infra teams has to closely monitor and renewal before expiration? >> Can we use any SSL certs instead using OSE default CA authority? > >Today the deployment of a custom CA to be used for internal >communication to the master is manual. We're working to make that >much easier as part of >https://trello.com/c/NsT6f1HL/38-8-atomic-openshift-installer-support-for-redeploying-certificates > >> What is the impact if we don’t’ renewal these internal certs? > >Depending on how widespread the problem was it could definitely degrade >service. > >> If customer has multiple clusters in production, don’t you think it is over >> burden to watch and renewal? > >We definitely understand the burden for large environments. Ideally >we'll integrate with various type of PKI. > >> Any other useful information for cluster admins or planners? >> >> -- >> Srinivas Kotaru >> >> _______________________________________________ >> users mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
