Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RefreshCert should be based on the cert expire time, not after 180 days #191

Closed
anfernee opened this issue Oct 31, 2018 · 4 comments · Fixed by #260
Closed

RefreshCert should be based on the cert expire time, not after 180 days #191

anfernee opened this issue Oct 31, 2018 · 4 comments · Fixed by #260
Assignees
@mengqiy

Comments

@anfernee
Copy link
Member

A server restart will reset the timer but not the certificate. Unless we refresh certificate every time we start the server.

controller-runtime/pkg/webhook/server.go

Line 226 in a8ea205

timer := time.Tick(6 * 30 * 24 * time.Hour)

@anfernee
Copy link
Member Author

cc @mengqiy

@anfernee anfernee changed the title RefreshingCert should be based on the cert expire time, not after 180 days RefreshCert should be based on the cert expire time, not after 180 days Oct 31, 2018
@mengqiy mengqiy self-assigned this Dec 18, 2018
@mengqiy mengqiy mentioned this issue Dec 18, 2018
Merged
@mengqiy
Copy link
Member

mengqiy commented Dec 19, 2018

This is not an real issue, since each time the server starts, it checks if the cert is valid (i.e. not expire in the next 6 months).
In current setup, timer is 180 days.
In the worst case, the server restarts at 179th day after the certs are generated. And after another 180 days, timer fires, the server rotates the certs. Nothing breaks.

@mengqiy
Copy link
Member

mengqiy commented Dec 19, 2018

It probably makes more sense to reduce the timer to 90 days (~ 3 months).
I will do it in #260

@anfernee
Copy link
Member Author

SGTM.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mengqiy mengqiy

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

🐛 fix issue when webhook server refreshing cert mengqiy/controller-runtime
2 participants
@anfernee @mengqiy