Uploaded image for project: 'OpenShift Etcd'
  1. OpenShift Etcd
  2. ETCD-585

Auto-rotation of etcd signer certs

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Critical Critical
    • openshift-4.17
    • None
    • None
    • Auto-rotation of etcd signer certs
    • BU Product Work
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-1422 - [etcd] Automatic rotation of etcd signer certs when the cluster is still online
    • OCPSTRAT-1422[etcd] Automatic rotation of etcd signer certs when the cluster is still online
    • 0% To Do, 0% In Progress, 100% Done

      Epic Goal*

      The etcd cert rotation controller should automatically rotate the etcd-signer and etcd-metrics-signer certs (and re-sign leaf certs) as they approach expiry.

       
      Why is this important? (mandatory)

      Automatic rotation of the signer certs will reduce the operational burden of having to manually rotate the signer certs.

       
      Scenarios (mandatory) 

      etcd-signer and etcd-metrics-signer certs are rotated as they approach the end of their validity period. For the signer certs this is 4.5 years.
      https://github.com/openshift/cluster-etcd-operator/blob/d8f87ecf9b3af3cde87206762a8ca88d12bc37f5/pkg/tlshelpers/tlshelpers.go#L32
       
      Dependencies (internal and external) (mandatory)

      None

      Contributing Teams(and contacts) (mandatory) 

      Our expectation is that teams would modify the list below to fit the epic. Some epics may not need all the default groups but what is included here should accurately reflect who will be involved in delivering the epic.

      • Development - etcd team
      • Documentation - etcd docs team
      • QE - 
      • PX - 
      • Others -

      Acceptance Criteria (optional)

      Provide some (testable) examples of how we will know if we have achieved the epic goal.  

      Drawbacks or Risk (optional)

      Reasons we should consider NOT doing this such as: limited audience for the feature, feature will be superseded by other work that is planned, resulting feature will introduce substantial administrative complexity or user confusion, etc.

      Done - Checklist (mandatory)

      The following points apply to all epics and are what the OpenShift team believes are the minimum set of criteria that epics should meet for us to consider them potentially shippable. We request that epic owners modify this list to reflect the work to be completed in order to produce something that is potentially shippable.

      • CI Testing -  Basic e2e automationTests are merged and completing successfully
      • Documentation - Content development is complete.
      • QE - Test scenarios are written and executed successfully.
      • Technical Enablement - Slides are complete (if requested by PLM)
      • Engineering Stories Merged
      • All associated work items with the Epic are closed
      • Epic status should be “Release Pending” 

            tjungblu@redhat.com Thomas Jungblut
            rhn-coreos-htariq Haseeb Tariq
            Ge Liu Ge Liu
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: