-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
doc: describe self signed certificate lifetime configuration
- Loading branch information
Showing
2 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,53 @@ | ||
| = Self signed certificate lifetime | ||
| :description: Customize the lifetime of self signed certificates. | ||
|
|
||
| Self signed certificates generated by the xref:secret-operator:index.adoc[secret operator] usually have a short lifetime of 24 hours. | ||
| In practice this means that Pods have to be restarted daily in order to avoid using expired certificates. | ||
| But in high load production environments, reloading Pods can be a costly operation. | ||
| It can disrupt services and in some cases even lead to data loss. | ||
| To avoid frequent restarts, the lifetime of the self signed certificates can be increased as needed. | ||
| Here is an example for configuring the lifetime of self signed certificates to 7 days in a HDFS stacklet: | ||
|
|
||
| [source,yaml] | ||
| ---- | ||
| --- | ||
| apiVersion: hdfs.stackable.tech/v1alpha1 | ||
| kind: HdfsCluster | ||
| metadata: | ||
| name: hdfs | ||
| spec: | ||
| nameNodes: | ||
| config: | ||
| requestedSecretLifetime: 7d # <1> | ||
| roleGroups: | ||
| default: | ||
| replicas: 2 | ||
| dataNodes: | ||
| config: | ||
| requestedSecretLifetime: 7d # <2> | ||
| roleGroups: | ||
| default: | ||
| replicas: 2 | ||
| journalNodes: | ||
| roleGroups: | ||
| default: | ||
| replicas: 3 | ||
| config: | ||
| requestedSecretLifetime: 7d # <3> | ||
| ---- | ||
| <1> The lifetime of the self signed certificates for *all* NameNode groups is set to 7 days. | ||
| <2> The lifetime of the self signed certificates for *all* DataNode groups is set to 7 days. | ||
| <3> The lifetime of the self signed certificates for the `default` JournalNode group is set to 7 days. | ||
|
|
||
| NOTE: The configuration for the journal nodes is done at group level for demonstration purposes. | ||
|
|
||
| Even though operators allow setting this property to a value of your choice, the secret operator will not exceed the `maxCertificateLifetime` value specifed in the referenced secret class. | ||
|
|
||
| Similarly to the example above, users can configure the lifetime of self signed certificates for the following product Stacklets: | ||
| * Apache Druid | ||
| * Apache Hadoop | ||
| * Apache HBase | ||
| * Apache Nifi | ||
| * Apache Spark | ||
| * Apache Zookeeper | ||
| * Trino |