autocert: Renew when 80% of the time until expiration is elapsed#1332
autocert: Renew when 80% of the time until expiration is elapsed#1332dvaldivia merged 1 commit intominio:masterfrom
Conversation
Currently, the auto generated MinIO certificate is auto renewed before 48 hours of the expiration date. Since the operator does not set an expiry date, some certicates are short lived, therefore the operator will try to renew the certificate all the time. The solution is to renew only when 80% of the time until the certificate expiration date has elapsed.
We should set the expiration by default to 365 days @vadmeste |
It requires k8s 1.22 and I am not sure it will work everywhere |
Can we do that on k8s1.22 and above atleast? |
|
In Kubernetes, the default is already 1 year, unless explicitly set. otherwise.
If I am understanding all right, per the Signers and Certificate rotation kubernetes documentation, the Expiration time is decided as follows:
I like the Idea of 80%. Whenever the cluster is set to a low certificate expiration time, is better to rotate based on the consumption of the certificate expiration, rather than a fixed 48 hours. Regardless, if the default set is to somenthing that low, we are going to keep seeing frequent rotations anyways. |
4 participants
Currently, the auto generated MinIO certificate is auto renewed before 48 hours of the expiration date. Since the operator does not set an expiry date, some certicates are short lived, therefore the operator will try to renew the certificate all the time.
The solution is to renew only when 80% of the time until the certificate expiration date has elapsed.