-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
client certificate expiration seconds must greater or qual to 3600 #149
client certificate expiration seconds must greater or qual to 3600 #149
Conversation
a2bd60f
to
f147fb1
Compare
hrm, seems there is some issue with operator e2e...I am looking at it. |
@youhangwang would you rebase the PR, there was a bug in the code that is fixed in #150 |
* move apply method to seperate package Signed-off-by: Jian Qiu <jqiu@redhat.com> * make sure the update apply func returns existing object Signed-off-by: zhujian <jiazhu@redhat.com> Signed-off-by: Jian Qiu <jqiu@redhat.com> Signed-off-by: zhujian <jiazhu@redhat.com> Co-authored-by: Jian Qiu <jqiu@redhat.com>
Signed-off-by: johan <wangyouhang@ibm.com>
f147fb1
to
d494916
Compare
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #149 +/- ##
=======================================
Coverage ? 58.42%
=======================================
Files ? 107
Lines ? 11847
Branches ? 0
=======================================
Hits ? 6922
Misses ? 4254
Partials ? 671
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
@qiujian16 branch was rebased on the main branch |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, youhangwang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com> Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>
In PR: open-cluster-management-io/registration#312, a option
--client-cert-expiration-seconds
was exposed so that a user can specify a expiration seconds for the client cert. And we use the minimum value of expiration time in CSR - 10min to check if the expiration time is validated.However, for the clientCertificateController in registration, 600 is too short:
so the minimum expiration second would be (5 * 60)/(1/5) = 1500s for clientCertificateController. otherwise, the kube client will use a expired client cert to send request to the remote cluster.
Considering to add some margin. 1h(3600s) could be a good choice.