Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

K8SSAND-1369 ⁃ Certificate rotation for cass-operator #308

Closed
Miles-Garnsey opened this issue Mar 31, 2022 · 3 comments
Closed

K8SSAND-1369 ⁃ Certificate rotation for cass-operator #308

Miles-Garnsey opened this issue Mar 31, 2022 · 3 comments
Assignees
@Miles-Garnsey
Labels
done Issues in the state 'done' enhancement New feature or request zh:Assess/Investigate

Comments

@Miles-Garnsey
Copy link
Member

Miles-Garnsey commented Mar 31, 2022
edited by sync-by-unito bot
Loading

What is missing?

CA certificates cannot currently be rotated without downtime for cass-operator deployed clusters.

We should enable the injection of both old and new certificates during a grace period so that CAs can be rotated smoothly.

┆Issue is synchronized with this Jira Task by Unito
┆friendlyId: K8SSAND-1369
┆priority: Medium
@Miles-Garnsey Miles-Garnsey added the enhancement New feature or request label Mar 31, 2022
@Miles-Garnsey Miles-Garnsey self-assigned this Mar 31, 2022
@sync-by-unito sync-by-unito bot changed the title Certificate rotation for cass-operator K8SSAND-1369 ⁃ Certificate rotation for cass-operator Mar 31, 2022
@jsanda
Copy link
Contributor

jsanda commented Apr 19, 2022

Hey team! Please add your planning poker estimate with ZenHub @burmanm @Miles-Garnsey

@Miles-Garnsey
Copy link
Member Author

This one is relatively complex and may benefit from a preliminary research ticket. Estimates are as follows:

  • 2 days on design work to determine how this needs to work and socialise (as there are a few options and the design doc has not been approved+merged.)
  • 4 days to implement a layer of indirection so that a change to the certificates triggers a copy of the existing encryption materials before commencing rotation.
  • 4 days to implement features relating to injecting encryption materials into the truststore and combining them.

Note that I've put estimates at the higher end of the range here but I think they will be roughly accurate once we account for the need for some nuanced test cases.

@adejanovski adejanovski moved this to Assess/Investigate in K8ssandra Nov 8, 2022
@burmanm
Copy link
Contributor

burmanm commented May 2, 2024

This work was superseded by other CA work.

@burmanm burmanm closed this as completed May 2, 2024
@github-project-automation github-project-automation bot moved this from Assess/Investigate to Done in K8ssandra May 2, 2024
@adejanovski adejanovski added the done Issues in the state 'done' label May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Miles-Garnsey Miles-Garnsey

Labels
done Issues in the state 'done' enhancement New feature or request zh:Assess/Investigate
Projects
No open projects
K8ssandra
Archived in project
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsanda @burmanm @adejanovski @Miles-Garnsey