TLS Certificate Renewal #960
Labels
untriaged
Issues that have not yet been triaged
Comments
|
As a workaround, you can delete the below secrets manually and it will get regenerate by opensearch-operator in 4-5 mins. After that perform rollout restart of deployments, daemonsets and statefulset Secrets: To check validity of the cert use the below command
If there is any other way we can address this, please share the same. |
|
Why not provide configuration to actually create the leaf cert to be set to 10 years as well? And add an annotation for expiry. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I noticed in the code that the root CA is generated with a 10-year validity, while the leaf certificates are valid for only 1 year. What happens to the cluster if the leaf certificates are not updated after they expire? Will inter-node communication fail, leading to a full cluster failure?
As the certificate nears its expiry date, what is the recommended process for updating it? Is there any OpenSearch metric that indicates when a certificate is nearing expiration?
If we manually update the node certificates, will the operator automatically detect the change and perform a rolling restart?
The text was updated successfully, but these errors were encountered: