chore: Reduce CA default lifetime to 1 year (#403)

NickLarsenNZ · web-flow · commit 7313f7d6a732 · 2024-05-06T13:34:58.000Z
* chore: reduce default ca lifetime to 1 year

* chore: fix comment for DEFAULT_CA_CERT_LIFETIME

* chore: update helm chart

* update changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,8 +11,10 @@ All notable changes to this project will be documented in this file.
       - (Recommended) Copying the CA into the new location
         (`kubectl -n default get secret/secret-provisioner-tls-ca -o json | jq '.metadata.namespace = "stackable-operators"' | kubectl create -f-`)
       - Setting the `secretClasses.tls.caSecretNamespace` Helm flag (`--set secretClasses.tls.caSecretNamespace=default`)
+- Reduce CA default lifetime to one year ([#403])
 
 [#397]: https://github.com/stackabletech/secret-operator/pull/397
+[#403]: https://github.com/stackabletech/secret-operator/pull/403
 
 ## [24.3.0] - 2024-03-20
 
diff --git a/deploy/helm/secret-operator/crds/crds.yaml b/deploy/helm/secret-operator/crds/crds.yaml
@@ -48,7 +48,7 @@ spec:
                               description: Whether the certificate authority should be managed by Secret Operator, including being generated if it does not already exist.
                               type: boolean
                             caCertificateLifetime:
-                              default: 730d
+                              default: 365d
                               description: |-
                                 The lifetime of each generated certificate authority.
 
diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs
@@ -42,8 +42,8 @@ use super::{
 mod ca;
 
 /// How long CA certificates should last for. Also used for calculating when they should be rotated.
-/// Must be less than half of [`DEFAULT_MAX_CERT_LIFETIME`].
-pub const DEFAULT_CA_CERT_LIFETIME: Duration = Duration::from_days_unchecked(365 * 2);
+/// [`DEFAULT_MAX_CERT_LIFETIME`] must be less than half of [`DEFAULT_CA_CERT_LIFETIME`].
+pub const DEFAULT_CA_CERT_LIFETIME: Duration = Duration::from_days_unchecked(365);
 
 /// As the Pods will be evicted [`DEFAULT_CERT_RESTART_BUFFER`] before
 /// the cert actually expires, this results in a restart in approx every 2 weeks,
