This topic describes how you can rotate TLS certificates for Supply Chain Security Tools (SCST) - Store.
By default, the use_cert_manager
setting is set to "true"
. When the setting
use_cert_manager
is "true"
the Store uses cert-manager
to generate a CA
certificate, an API certificate, and a database Certificate.
To see these certificates:
$ kubectl get certificate -n metadata-store
NAME READY SECRET AGE
app-tls-ca-cert True app-tls-ca-cert 38d
app-tls-cert True app-tls-cert 38d
postgres-db-tls-cert True postgres-db-tls-cert 38d
The earlier certificates are automatically rotated by cert-manager
.
The Store can run these certificates automatically once cert-manager
rotates them.
If the environment is a multi-cluster setup, the operator must manually copy over the new CA certificate to the build cluster.
In the tap-values.yaml
file, api_cert_duration
, api_cert_renew_before
,
ca_cert_duration
, and ca_cert_renew_before
are configurable as shown in the
following YAML:
metadata_store:
ca_cert_duration: CA-DURATION
ca_cert_renew_before: CA-RENEW
api_cert_duration: API-DURATION
api_cert_renew_before: API-RENEW
Where:
CA-DURATION
is the duration that the ca certificate is valid for. Must be given inh
,m
, ors
. Default value is 8760h.CA-RENEW
is how long before the expiry of the ca certificate is renewed. Must be given inh
,m
, ors
. Default value is 1h.API-DURATION
is the duration that the API certificate is valid for. Must be given inh
,m
, ors
. Default value is 2160h.API-RENEW
is how long before the expiry of the API certificate is renewed. Must be given in h, m, or s. Default value is 24h.
Important The
*_cert_duration
and the corresponding*_renew_before
settings must not be close. For more information, see the cert-manager documentation. This can lead to a renewal loop. The*_cert_duration
must be greater than the corresponding*_renew_before
. The earlier settings only take effect whenuse_cert_manager
is"true"
. If theuse_cert_manager
is not set, it defaults to"true"
.