Skip to content

Update CA duration to 26 months to ensure upgrade after rotation #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-robot merged 1 commit into from
Feb 10, 2020
Merged

Update CA duration to 26 months to ensure upgrade after rotation #106

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 11 additions & 10 deletions pkg/operator/rotate.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,27 +16,28 @@ import (
)

const (
// The duration of the service CA needs to exceeds the maximum supported
// upgrade interval (currently 12 months). A duration of 14 months
// ensures that an upgrade will occur after automated rotation and before
// the expiry of the pre-rotation CA. Since an upgrade restarts all
// services, those services will always be using valid material.
// The minimum remaining duration of the service CA needs to exceeds the maximum
// supported upgrade interval (currently 12 months). A duration of 26 months
// (rotated at 13 months) ensures that an upgrade will occur after automated
// rotation and before the expiry of the pre-rotation CA. Since an upgrade restarts
// all services, those services will always be using valid material.
//
// Example timeline using a 14 month service CA duration:
// Example timeline using a 26 month service CA duration:
//
// - T+0m - Cluster installed with new CA or existing CA is rotated (CA-1)
// - T+8m - Automated rotation replaces CA-1 with CA-2 when CA-1 duration < 6m
// - T+12m - Cluster is upgraded and all pods are restarted
// - T+14m - CA-1 expires. No impact because of the restart at time of upgrade
// - T+13m - Automated rotation replaces CA-1 with CA-2 when CA-1 duration < 13m
// - T+24m - Cluster is upgraded and all pods are restarted
// - T+26m - CA-1 expires. No impact because of the restart at time of upgrade
//
SigningCertificateLifetimeInDays = 426 // 14 months
SigningCertificateLifetimeInDays = 790 // 26 months

// The minimum duration that a CA should be trusted is approximately half
// the default signing certificate lifetime. If a signing CA is valid for
// less than this duration, it is due for rotation. An intermediate
// certificate created by rotation (to ensure that the previous CA remains
// trusted) should be valid for at least this long.
minimumTrustDuration = 182 * 24 * time.Hour
minimumTrustDuration = 395 * 24 * time.Hour // 13 months
)

type signingCA struct {
Expand Down