Ratchet down CA lifetimes #358
Comments
|
Happy to reduce it to something less than 2 years, but would prefer >= 15 days or even >= 31 days. Let's have a discussion (in e.g. Arch meeting) |
|
I made the decision to move it to 1 year for the 24.3 release together with release notes and maybe a blog post announcing our future plans of lowering this even further. We need documentation on what it means and an FAQ or something similar on what it means |
|
Refinement by Nick, Sascha |
|
Does this require anything more than just setting the default CA lifetime? |
|
Documentation and potentially a blog post outlining our policy going forward but that's optional. But in general I had hoped that this is going to be a simple thing, yes. |
|
@lfrancke, what kind of documentation do you mean? I assume you mean on the docs site. Just need to know at least one of the following:
I can probably figure it out from there. |
|
It is still not very common to have short lifetimes for certificates and I think we should document it somewhere. I don't think it needs much. Just a paragraph about our certificate handlind. |
|
The Secret operator could use a bit more docs in general. There isn't really a section about it being able to do TLS certs, there isn't a good landing page. Maybe I'd just stick it in the Usage page or the 'Security' page. |
I have read both, and Usage seems most suitable. I'll update the task list in the description. |
We used to hard-code CA durations to 2 years, because we didn't have a way to rotate them, and we didn't have a way to override it. These days both of these have been addressed (#93, #354), so there's no reason anymore to keep it as ridiculously long. As a starting point, a week should be more than plenty, but in that case we would also need to reduce the default
maxCertificateLifetime./cc @sbernauer
Tasks
The text was updated successfully, but these errors were encountered: