Open
Description
/area sentry
Describe the proposal
Currently Dapr sentry generates a self signed root certificate(ca.pem, issuer.pem and issuer.key) which later is used to sign the workload certificates by sidecars.
These certificates are by default generated for a period of 365 days and needs to be renewed once the grace period starts which is configured to be 30 days in sentry. Right now we have CLI commands which can be used to renew these certificates with ease.
This issue is for discussing the options to automatically regenerate the root.pem, issuer.pem and issuer.key.
Below diagram shows a rough sketch for the process -
Few points from above diagram -
- auto cert rotator can be a separate process which tracks the
grace periodfor expiry of certificates and when hit will create a new certs and store in a different k8s store. - The newly created root CAs can then be installed on all sidecars along with old CAs.
- Any new request for workload sign will be signed by newly created certs and key.
- We can wait for ca_injection_completd_time + 24 hrs and then start the cleaning phase, which will delete the old inslatted CAs in sidecars , copying the secrets from 2ndary store to primary store and finally deleting the 2ndary k8s store.
- We will need to handle the rollback scenarios in case of any failures in clean up phase.
As of now this is just a theoretical concept and inspired by Istio system.
Metadata
Metadata
Assignees
Type
Projects
Status
Assigned - P1