Add support for custom certificate life/expiration. #3217
Conversation
|
This pull request is still valid. |
|
This repository uses an automated workflow to automatically label pull requests which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community pull requests better. If the pull request is still relevant, please add a comment to the pull request so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the pull request in 14 days. Thank you for your contributions. |
|
This pull request is still valid. |
|
This repository uses an automated workflow to automatically label pull requests which have not had any activity (commit/comment/label) for 60 days. This helps us manage the community pull requests better. If the pull request is still relevant, please add a comment to the pull request so the workflow can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the workflow will automatically close the pull request in 14 days. Thank you for your contributions. |
This pull request adds support to RKE to allow the configuration of certificate lifetime/expiration to support typical corporate requirements for shorter certificate expiration.
This change acknowledges that the default certificate lifetime for cluster certificates is ~10 years and makes no change to that default. Instead it adds support for a
cluster.ymlconfiguration option calledcertificate_lifetime. Thecertificate_lifetimeoption accepts an integer being a number of days from the current date for which certificates will be valid. This logic is respected during both the creation of a new cluster or during certificate rotation. This modification does not make any changes to the CA's created by RKE.