Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve certificate management #3727

Merged
merged 2 commits into from
Feb 3, 2025
Merged

Improve certificate management #3727

merged 2 commits into from
Feb 3, 2025

Conversation

rene-dekker
Copy link
Member

@rene-dekker rene-dekker commented Jan 29, 2025
edited
Loading

  • Rotate certificates 1 month before expiry (if issued by operator) to minimize potential for down time. (Currently certificates are valid for 825 days.)
  • If a certificate is expired, a controller that is fetching a cert for the purpose of adding it to a trusted bundle will skip it. This is similar to the behaviour if a certificate does not exist at all.
  • If a certificate is expired, a controller that is responsible for creating it will replace it. (This is already the current behaviour, just mentioning it here for completeness.)
  • Improve the test suite, such that cert creation for some certs is done once, and not BeforeEach, cutting down run time of the suite from 40s -> 10s.

@marvin-tigera marvin-tigera added this to the v1.38.0 milestone Jan 29, 2025
@rene-dekker rene-dekker force-pushed the ci-1701 branch 2 times, most recently from 9911e9d to 0eb7554 Compare February 1, 2025 01:25
@rene-dekker rene-dekker marked this pull request as ready for review February 1, 2025 01:26
@rene-dekker rene-dekker requested a review from a team as a code owner February 1, 2025 01:26
@rene-dekker
Fix dead-lock between degraded controllers due to certificate expiry.
ad3e60a 
- Rotate certificates 1 month before expiry (if issued by operator) to minimize potential for down time.
- If a certificate is expired, a controller that is fetching a cert for the purpose of adding it to a trusted bundle will skip it. This is similar to the behaviour if a certificate does not exist at all.
@rene-dekker
Improve log messages for certificate manager
f11aea4
@rene-dekker rene-dekker merged commit 8841c2a into tigera:master Feb 3, 2025
5 checks passed
@rene-dekker rene-dekker deleted the ci-1701 branch February 3, 2025 19:32
This was referenced Feb 3, 2025
Merged
Merged
Merged
Brian-McM added a commit that referenced this pull request Feb 7, 2025
@Brian-McM
Merge pull request #3754 from rene-dekker/automated-cherry-pick-of-#3…
cd5bfc6 
…727-origin-release-v1.37

Automated cherry pick of #3727: Fix dead-lock between degraded controllers due to
Brian-McM added a commit that referenced this pull request Feb 7, 2025
@Brian-McM
Merge pull request #3755 from rene-dekker/automated-cherry-pick-of-#3…
1f06865 
…727-origin-release-v1.36

Automated cherry pick of #3727: Fix dead-lock between degraded controllers due to
marvin-tigera added a commit that referenced this pull request Feb 10, 2025
@marvin-tigera
Merge pull request #3756 from rene-dekker/automated-cherry-pick-of-#3…
a41c781 
…727-origin-release-v1.34

Automated cherry pick of #3727: Fix dead-lock between degraded controllers due to
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Brian-McM Brian-McM Brian-McM approved these changes

Assignees
No one assigned
Labels
docs-pr-required release-note-required
Projects
None yet
Milestone
v1.38.0
Development

Successfully merging this pull request may close these issues.
3 participants
@rene-dekker @Brian-McM @marvin-tigera