Skip to content

doc: describe self signed certificate lifetime configuration #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

doc: describe self signed certificate lifetime configuration #688

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
05b2beb
doc: describe self signed certificate lifetime configuration
razvan Dec 4, 2024
c967040
newline
razvan Dec 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions modules/guides/nav.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@
** xref:viewing-and-verifying-sboms.adoc[]
** xref:enabling-verification-of-image-signatures.adoc[]
** xref:kubernetes-cluster-domain.adoc[]
** xref:secret-lifetime.adoc[]
54 changes: 54 additions & 0 deletions modules/guides/pages/secret-lifetime.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
= Self signed certificate lifetime
:description: Customize the lifetime of self signed certificates.

Self signed certificates generated by the xref:secret-operator:index.adoc[secret operator] usually have a short lifetime of 24 hours.
In practice this means that Pods have to be restarted daily in order to avoid using expired certificates.
But in high load production environments, reloading Pods can be a costly operation.
It can disrupt services and in some cases even lead to data loss.
To avoid frequent restarts, the lifetime of the self signed certificates can be increased as needed.
Here is an example for configuring the lifetime of self signed certificates to 7 days in a HDFS stacklet:

[source,yaml]
----
---
apiVersion: hdfs.stackable.tech/v1alpha1
kind: HdfsCluster
metadata:
name: hdfs
spec:
nameNodes:
config:
requestedSecretLifetime: 7d # <1>
roleGroups:
default:
replicas: 2
dataNodes:
config:
requestedSecretLifetime: 7d # <2>
roleGroups:
default:
replicas: 2
journalNodes:
roleGroups:
default:
replicas: 3
config:
requestedSecretLifetime: 7d # <3>
----
<1> The lifetime of the self signed certificates for *all* NameNode groups is set to 7 days.
<2> The lifetime of the self signed certificates for *all* DataNode groups is set to 7 days.
<3> The lifetime of the self signed certificates for the `default` JournalNode group is set to 7 days.

NOTE: The configuration for the journal nodes is done at group level for demonstration purposes.

Even though operators allow setting this property to a value of your choice, the secret operator will not exceed the `maxCertificateLifetime` value specifed in the referenced secret class.

Similarly to the example above, users can configure the lifetime of self signed certificates for the following product Stacklets:

* Apache Druid
* Apache Hadoop
* Apache HBase
* Apache Nifi
* Apache Spark
* Apache Zookeeper
* Trino
Loading