From b7f8c2a104f3884c73c6554739f2102011401f3e Mon Sep 17 00:00:00 2001 From: Mert Date: Wed, 19 Jun 2024 16:44:46 +0200 Subject: [PATCH] Add cockroachdb-ca-cert duration and renewal interval --- build/templates/README.md | 2 ++ build/templates/values.yaml | 4 ++++ cockroachdb/templates/certificate.ca.yaml | 2 ++ 3 files changed, 8 insertions(+) diff --git a/build/templates/README.md b/build/templates/README.md index 575d3bb7..efec02e4 100644 --- a/build/templates/README.md +++ b/build/templates/README.md @@ -408,6 +408,8 @@ For details see the [`values.yaml`](values.yaml) file. | `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` | | `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` | | `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` | +| `tls.certs.certManagerIssuer.caCertDuration` | Duration of CA cert in hour | `43824h` | +| `tls.certs.certManagerIssuer.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` | | `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` | | `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` | | `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` | diff --git a/build/templates/values.yaml b/build/templates/values.yaml index 46f3190c..4690e7f3 100644 --- a/build/templates/values.yaml +++ b/build/templates/values.yaml @@ -519,6 +519,10 @@ tls: name: cockroachdb # Make it false when you are providing your own CA issuer isSelfSignedIssuer: true + # Duration of CA certificates in hour + caCertDuration: 43800h + # Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated. + caCertExpiryWindow: 648h # Duration of Client certificates in hours clientCertDuration: 672h # Expiry window of client certificates means a window before actual expiry in which client certs should be rotated. diff --git a/cockroachdb/templates/certificate.ca.yaml b/cockroachdb/templates/certificate.ca.yaml index 29794462..4043fafb 100644 --- a/cockroachdb/templates/certificate.ca.yaml +++ b/cockroachdb/templates/certificate.ca.yaml @@ -14,6 +14,8 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} spec: + duration: {{ .Values.tls.certs.certManagerIssuer.caCertDuration }} + renewBefore: {{ .Values.tls.certs.certManagerIssuer.caCertExpiryWindow }} isCA: true secretName: {{ .Values.tls.certs.caSecret }} privateKey: