Description
Relevant decision: #673
As a user of SDP I want to be able to configure the lifetime of generated certificates (by the secret operator) from within the custom resources itself without having to use any podOverrides.
Value
We want this to reduce the documentation and support overhead this causes.
Multiple customers have asked how to change the lifetime of certificates and we've had to provide custom override snippets.
This will make it easier for us and for our users.
Lifetimes should use a human-readable duration format like stackable_operator::time::Duration, which also closely resembles the Go / K8s format.
Dependencies
This will require a CRD change which needs to be discussed and voted on before it can be implemented.
Tasks
- [x] Brainstorm/Design CRD solution and vote on it
- [x] Implement required changes across all operators that support TLS including handling minimum and maximum lifetimes
- [x] Add a documentation concept page explaining the change => https://github.com/stackabletech/documentation/pull/689
- [x] Remove any documentation refering to the old way of configuring this using podOverrides. First PR: https://github.com/stackabletech/trino-operator/pull/681
- [x] Close https://github.com/stackabletech/secret-operator/issues/353
TODO: Amend the tasklist with a list of all operators needing this CRD change.
Acceptance Criteria
- Users have a way of configuring TLS certificate lifetime without resorting to podOverrides
(Information Security) Risk Assessment
While this does touch TLS which in itself is a security mechanism in most cases all it does is to simplify a setting that can already be set using podOverrides.
By making it easier to increase the default lifetime we potentially decrease the security of the product and this needs to be mentioned in the documentation page.
Release Notes
Certificates automatically generated by our secret-operator default to a lifetime of one day plus/minus a bit of jitter (TODO: Is this correct?). This does lead to automatic restarts of pods when the certificates are regenerated which can lead to brief service interruptions or a brief performance hit during these restarts. Some customers have therefore asked for ways to increase the lifetime of these certiifcates. This was always possible using podOverrides and in this release we have made it easier by adding a dedicated field to the CRDs of our X and X (TODO) operators called TODO which allows specifying the lifetime in a more convenient way. We have also updated the documentation(LINK, TODO).
Description
Relevant decision: #673
As a user of SDP I want to be able to configure the lifetime of generated certificates (by the secret operator) from within the custom resources itself without having to use any podOverrides.
Value
We want this to reduce the documentation and support overhead this causes.
Multiple customers have asked how to change the lifetime of certificates and we've had to provide custom override snippets.
This will make it easier for us and for our users.
Lifetimes should use a human-readable duration format like
stackable_operator::time::Duration, which also closely resembles the Go / K8s format.Dependencies
This will require a CRD change which needs to be discussed and voted on before it can be implemented.
Tasks
TODO: Amend the tasklist with a list of all operators needing this CRD change.
Acceptance Criteria
(Information Security) Risk Assessment
While this does touch TLS which in itself is a security mechanism in most cases all it does is to simplify a setting that can already be set using podOverrides.
By making it easier to increase the default lifetime we potentially decrease the security of the product and this needs to be mentioned in the documentation page.
Release Notes
Certificates automatically generated by our secret-operator default to a lifetime of one day plus/minus a bit of jitter (TODO: Is this correct?). This does lead to automatic restarts of pods when the certificates are regenerated which can lead to brief service interruptions or a brief performance hit during these restarts. Some customers have therefore asked for ways to increase the lifetime of these certiifcates. This was always possible using
podOverridesand in this release we have made it easier by adding a dedicated field to the CRDs of our X and X (TODO) operators calledTODOwhich allows specifying the lifetime in a more convenient way. We have also updated the documentation(LINK, TODO).