New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ratchet down CA lifetimes #358
Comments
Happy to reduce it to something less than 2 years, but would prefer >= 15 days or even >= 31 days. Let's have a discussion (in e.g. Arch meeting) |
I made the decision to move it to 1 year for the 24.3 release together with release notes and maybe a blog post announcing our future plans of lowering this even further. We need documentation on what it means and an FAQ or something similar on what it means |
Refinement by Nick, Sascha |
Does this require anything more than just setting the default CA lifetime? |
Documentation and potentially a blog post outlining our policy going forward but that's optional. But in general I had hoped that this is going to be a simple thing, yes. |
@lfrancke, what kind of documentation do you mean? I assume you mean on the docs site. Just need to know at least one of the following:
I can probably figure it out from there. |
It is still not very common to have short lifetimes for certificates and I think we should document it somewhere. I don't think it needs much. Just a paragraph about our certificate handlind. |
The Secret operator could use a bit more docs in general. There isn't really a section about it being able to do TLS certs, there isn't a good landing page. Maybe I'd just stick it in the Usage page or the 'Security' page. |
I have read both, and Usage seems most suitable. I'll update the task list in the description. |
We used to hard-code CA durations to 2 years, because we didn't have a way to rotate them, and we didn't have a way to override it. These days both of these have been addressed (#93, #354), so there's no reason anymore to keep it as ridiculously long. As a starting point, a week should be more than plenty, but in that case we would also need to reduce the default
maxCertificateLifetime
./cc @sbernauer
Tasks
The text was updated successfully, but these errors were encountered: