Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional auto rotating/renewing certificates #40

Open
7ing opened this issue Oct 7, 2022 · 1 comment
Open

Optional auto rotating/renewing certificates #40

7ing opened this issue Oct 7, 2022 · 1 comment

Comments

@7ing
Copy link
Contributor

7ing commented Oct 7, 2022

One of the key features of csi-lib is Automatically rotating/renewing certificates near expiry.
But do we consider make this feature optional?

One particular use case is: one-time and short-lived cert for init-container (for mTLS to pull some secrets).
The user container will no longer need the cert after consuming it. Since the pod is still running, csi-lib will continue the renewal logic for this short-lived cert. With least privilege guidance, shall we disable the renewal in this case ?

Upon checking the code, all certificates will be auto renewed once it hits the NextIssuanceTime:
https://github.com/cert-manager/csi-lib/blob/v0.3.0/manager/manager.go#L499
A workaround is to set the NextIssuanceTime much longer than the pod lifetime. But add an option here (pass in as volumeAttribute) would be much cleaner logic.
@7ing
Copy link
Contributor Author

7ing commented Mar 28, 2024

bump it again up for awareness
@munnerz any thoughts ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@7ing