Create hooks for early expiry of OOTB certs
Description
Components
Affects versions
Fix versions
Labels
Environment
Release Notes Description
Activity
Timofey Barmin 3 days ago
Adding more context.
For client certificates the goal is to test the following:
The fact that we rotate internal client cert automatically
Verify that nothing breaks after rotation (manual or automatic).
Verify that when the certificate that has been rotated out (prev. certificate) expires, nothing breaks (because if some service misses the rotation, old certificate will continue working until it expires)
Probably we don’t need any hooks for server certificates, because QE can verify that the server certificate has changed just by connecting to the server (server should tell the client what cert it supports). The key point for test in this case is to check all TLS port a node has (each service can have multiple TLS ports).
Abhijeeth Nuthan 3 days ago
Could you look into this one? We want to fix it in Morpheus to add QE testing.
cc
Details
Details
Assignee
Reporter
Story Points
Priority
MajorInstabug
PagerDuty
PagerDuty Incident
PagerDuty
Sentry
Linked Issues
Sentry
Zendesk Support
Linked Tickets
Zendesk Support
We current generate OOTB certs for 1. Internal client certs and 2. Serrver certs. The expiration of these certs are usually long, for testing though we need a way to shorten the expiration date.
This is crucial as it gives ability for QE and our internal testing to test,
Internal client cert expiry and rotation. Note: we currently automatically rotate internal OOTB client cert near expiry. The cluster operation is expected to not be impacted during such a rotation.
OOTB Server cert expiry. We do not automatically rotate OOTB server cert near expiry as it causes downtime of the server. We can however manually(or using test bed) rotate the certs.