Uploaded image for project: 'OpenShift Etcd'
  1. OpenShift Etcd
  2. ETCD-518

Refactored CertSignerController needs to garbage collect unused node certs


    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • 2
    • False
    • None
    • False
    • OCPSTRAT-1104 - [etcd] manual rotation of etcd signer certs when the cluster is still online
    • ETCD Sprint 249, ETCD Sprint 250

      Refactoring in ETCD-512 does not clean up certificates that are dynamically generated. Imagine you're recreating all your master nodes everyday, we would create new peer/serving/metrics certificates for each node and never clean them up.

      We should try to be conservative when cleaning them up, so keep them around for a certain retention period (7-10 days?) after the node went away.


      • CEO should clean up old-enough "node" certificates

            tjungblu@redhat.com Thomas Jungblut
            tjungblu@redhat.com Thomas Jungblut
            0 Vote for this issue
            1 Start watching this issue