Hello,
The root certificate that is automatically generated by the operator via cert-manager is valid for one year.
I have the following questions:
Thank you in advance.
Hi @yonigo , thanks for using forum for this questions!
Here are answers to your questions
=> 1. What will happen to the db once the root certificate expires?
Upon the expiration of the root certificate, any new connections or services that rely on this certificate for trust validation will fail. This can result in database connection errors, as clients and services will no longer trust the certificate provided by the database server.
Existing connections might continue to work until they are restarted or until a reauthentication is required. Certificates should be updated to newer ones before expiration.
=> 2. Is the operator programmed to handle this situation, or will I need to manually intervene?
You need to customize it. The operator could generate certificates and use self-signed certificates. However, self-signed certificates are not suitable for proper production usage because it’s impossible to customize such certificates. You need to use the proper one. You can use cert-manager.io which provides Kubernetes resources for easy certificate issuing/renewal/monitoring and management.
=> 3. Is there a simple way to extend the expiration time of the root certificate (lets say for 10 years)?
You can do it, by obtaining a Certificate from a Trusted Certificate Authority
For production environments, it’s advisable to use certificates issued by a trusted CA. These certificates are inherently trusted by most clients and browsers and don’t require the extra step of manually trusting a self-signed certificate.
These responses are the collaboration with @nickolay.ihalainen!
Please let us know if you have more questions about it
Thanks!
Thanks for the quick response.
Could you please provide a bit more clarification? If I still want to use the self-signed certificate that is automatically created by the operator using the cert-manager, is there a way to extend its expiration beyond the default one year?
Hi @yonigo, we do not have such functionality at this moment. You can create FR for us or PR to be able to set an expiration date via CR.
Eventually ive solved this by creating my own certificates using cert-manager CRs (the resources names are identical to the ones the operator creates, this way the operator won’t bother to create its own):
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: <psmdb-database.fullname>-psmdb-ca-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <psmdb-database.fullname>-ca-cert
spec:
commonName: <psmdb-database.fullname>-ca
duration: 87600h
isCA: true
issuerRef:
kind: Issuer
name: <psmdb-database.fullname>-psmdb-ca-issuer
renewBefore: 720h
secretName: <psmdb-database.fullname>-ca-cert
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: <psmdb-database.fullname>-psmdb-issuer
spec:
ca:
secretName: <psmdb-database.fullname>-ca-cert
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <psmdb-database.fullname>-ssl-internal
spec:
secretName: <psmdb-database.fullname>-ssl-internal
issuerRef:
name: <psmdb-database.fullname>-psmdb-issuer
kind: Issuer
subject:
organizations:
- PSMDB
commonName: "<psmdb-database.fullname>"
ipAddresses:
- "127.0.0.1"
dnsNames:
- "localhost"
- ...
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: <psmdb-database.fullname>-ssl
spec:
secretName: <psmdb-database.fullname>-ssl
issuerRef:
name: <psmdb-database.fullname>-psmdb-issuer
kind: Issuer
subject:
organizations:
- PSMDB
commonName: "<psmdb-database.fullname>"
ipAddresses:
- "127.0.0.1"
dnsNames:
- "localhost"
- ...
Unanswered | Unsolved | Solved
MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright © 2006 - 2024 Percona LLC. All rights reserved.