automatic service serving cert signer #2324
Conversation
|
@deads2k Did a review on what you have so far and this looks good 🎆 |
|
Yes this is alpha / tech preview. On Fri, Jul 1, 2016 at 4:20 PM, Ashley Hardin notifications@github.com
|
| serving certificate/key pair into a secret in your namespace. To do this, set the | ||
| "service.alpha.openshift.io/serving-cert-secret-name" to the name you want to use | ||
| for your secret. Your PodSpec can then mount that secret and when it is available | ||
| your pod will run. The certificate will be good for the internal service DNS name: |
There was a problem hiding this comment.
What is/are the file name(s) of the key/cert on the secret? File format?
There was a problem hiding this comment.
How long is the cert valid for, and how should renewal be handled?
There was a problem hiding this comment.
How long is the cert valid for, and how should renewal be handled?
One year. The controller could be tweaked to find certs that are close to expiry and regenerate them. It hasn't been done yet, but the clock is ticking.
There was a problem hiding this comment.
What is/are the file name(s) of the key/cert on the secret? File format?
PEM, like our others. tls.crt, tls.key so that it matches the validation requirements for the tls secret type.
|
|
||
| To secure communication to your service, you can have the cluster generate a signed | ||
| serving certificate/key pair into a secret in your namespace. To do this, set the | ||
| "service.alpha.openshift.io/serving-cert-secret-name" to the name you want to use |
There was a problem hiding this comment.
`*service.alpha.openshift.io/serving-cert-secret-name*`
deads2k
force-pushed
the
service-serving-cert
branch
from
bbfea59
to
caa00af
Compare
|
comments addressed. |
|
Thanks! |
|
[rev_history] |
Adds documentation for the service serving certificate signer.
@smarterclayton how should we indicate that this is an alpha feature?