Change tls cert rotation policy to never and rotation docs (#236)

finleap-connect · Sep 7, 2022 · 52e5b72 · 52e5b72
1 parent 6ee6c3f
commit 52e5b72
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/build/package/helm/monoskope/templates/gateway/cert-auth.yaml b/build/package/helm/monoskope/templates/gateway/cert-auth.yaml
@@ -25,7 +25,7 @@ spec:
     - key encipherment
     - client auth
   privateKey:
-    rotationPolicy: Always
+    rotationPolicy: Never
     algorithm: RSA
     encoding: PKCS1
     size: 2048

diff --git a/docs/operation/04-k8s-auth.md b/docs/operation/04-k8s-auth.md
@@ -106,3 +106,15 @@ Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.7", GitCom
 ```
 
 You're good to go!
+
+## Certificate rotation
+
+The certificate used by Monoskope to sign and verify k8s tokens has a long expire date by design. 
+
+Rotating it can be done easily using the [cert-manager CLI](https://cert-manager.io/docs/reference/cmctl/#renew)
+
+```shell
+cmctl renew m8-monoskope-tls-cert
+```
+
+For more information see [here](https://cert-manager.io/docs/usage/certificate#actions-triggering-private-key-rotation)