-
Notifications
You must be signed in to change notification settings - Fork 766
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce certificate expiry time #970
Conversation
This is still blocked by both Chrome and Safari (although I believe this is a bug in Safari as it lets you add the exception and later acknowledges this), but means that the dates on certificates are now valid. |
local IP_ADDRESSES="$(get_ips)" | ||
|
||
cp ${SNAP_DATA}/certs/ca.conf.template ${SNAP_DATA}/certs/ca.conf.rendered | ||
if ! [ "$IP_ADDRESSES" == "127.0.0.1" ] && ! [ "$IP_ADDRESSES" == "none" ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This part does not look right.
The ca.conf.template
does not have a MOREIPS line. I think we do not need this part.
fi | ||
|
||
if ! "${SNAP}/usr/bin/cmp" -s "${SNAP_DATA}/certs/ca.conf.rendered" "${SNAP_DATA}/certs/ca.conf"; then | ||
cp ${SNAP_DATA}/certs/ca.conf.rendered ${SNAP_DATA}/certs/ca.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not look right. I think that if there is a change in the ca we should set the force flag on this function so all related certificates are recreated.
# Generate apiserver CA | ||
if ! [ -f ${SNAP_DATA}/certs/ca.crt ]; then | ||
${SNAP}/usr/bin/openssl req -x509 -new -nodes -key ${SNAP_DATA}/certs/ca.key -subj "/CN=10.152.183.1" -days 10000 -out ${SNAP_DATA}/certs/ca.crt | ||
${SNAP}/usr/bin/openssl req -x509 -new -sha256 -nodes -key ${SNAP_DATA}/certs/ca.key -subj "/CN=10.152.183.1" -out ${SNAP_DATA}/certs/ca.crt -config ${SNAP_DATA}/certs/ca.conf |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This creates the certificate only the first time. Should we follow the pattern we have for the rest of the certificates where is someone changes the template we trigger the re-issue of the certs?
@@ -167,18 +167,14 @@ spec: | |||
spec: | |||
containers: | |||
- name: kubernetes-dashboard | |||
image: kubernetesui/dashboard:v2.0.0-beta5 | |||
image: kubernetesui/dashboard:v2.0.0-rc5 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may want to have this as a separete PR so it does not get blocked by the rest of the work we are doing here.
Safari is reducing the certificate validity to 1 year. Im not a mac user, but just wonderin if that will have an impact on this PR. |
This reverts commit 312be3b.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM +1 thank you @joedborg
Trying to address #945