Skip to content

Commit

Permalink
Add cockroachdb-ca-cert duration and renewal interval
Browse files Browse the repository at this point in the history
  • Loading branch information
mekaan committed Jun 19, 2024
1 parent 31f086f commit b7f8c2a
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 0 deletions.
2 changes: 2 additions & 0 deletions build/templates/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -408,6 +408,8 @@ For details see the [`values.yaml`](values.yaml) file.
| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
| `tls.certs.certManagerIssuer.caCertDuration` | Duration of CA cert in hour | `43824h` |
| `tls.certs.certManagerIssuer.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` |
| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
Expand Down
4 changes: 4 additions & 0 deletions build/templates/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -519,6 +519,10 @@ tls:
name: cockroachdb
# Make it false when you are providing your own CA issuer
isSelfSignedIssuer: true
# Duration of CA certificates in hour
caCertDuration: 43800h
# Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
caCertExpiryWindow: 648h
# Duration of Client certificates in hours
clientCertDuration: 672h
# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
Expand Down
2 changes: 2 additions & 0 deletions cockroachdb/templates/certificate.ca.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ metadata:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
duration: {{ .Values.tls.certs.certManagerIssuer.caCertDuration }}
renewBefore: {{ .Values.tls.certs.certManagerIssuer.caCertExpiryWindow }}
isCA: true
secretName: {{ .Values.tls.certs.caSecret }}
privateKey:
Expand Down

0 comments on commit b7f8c2a

Please sign in to comment.