-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Cooper Tseng <cooper.tseng@suse.com>
- Loading branch information
Showing
2 changed files
with
58 additions
and
0 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,58 @@ | ||
| --- | ||
| title: KubeVirt Certificates Rotation | ||
| description: KubeVirt Certificates Rotation. | ||
| slug: kubevirt_certificates_rotation | ||
| authors: | ||
| - name: Cooper Tseng | ||
| title: Software Engineer | ||
| url: https://github.com/brandboat | ||
| image_url: https://github.com/brandboat.png | ||
| tags: [harvester, kubevirt, certificates, cert, ca] | ||
| hide_table_of_contents: false | ||
| --- | ||
|
|
||
| - Harvester: [Issue 5798](https://github.com/harvester/harvester/issues/5798) | ||
|
|
||
| In Harvester's embedded Rancher UI, you may see some warnings on the secrets page indicating that the KubeVirt certicates are about to expire. While there is no need to worry about it as KubeVirt handles automatic certificate rotation. | ||
|
|
||
|  | ||
|
|
||
| This page explains how KubeVirt manages self-signed certificates, the configuration, and the triggers for certificate rotation. | ||
|
|
||
| # KubeVirt Certificate Rotation Strategy | ||
| KubeVirt applies self-signed certificate mechamism, where both CA and certifcates are rotated on a defined recurring interval. You can check the corresponding setting `certificateRotateStrategy` by using cmd | ||
| ```sh | ||
| kubectl get kubevirt -n harvester-system -o yaml | ||
| ``` | ||
| By default, the `certificateRotateStrategy` is empty, meaning KubeVirt will use its default rotation settings, and no manual configuration is needed. | ||
| ```yaml | ||
| certificateRotateStrategy: {} | ||
| ``` | ||
| A complete configuration look like this: | ||
| ```yaml | ||
| certificateRotateStrategy: | ||
| selfSigned: | ||
| ca: | ||
| duration: 24h | ||
| renewBefore: 4h | ||
| server: | ||
| duration: 168h | ||
| renewBefore: 28h | ||
| ``` | ||
| Explanation of Fields: | ||
| - `.ca.duration`: refers to the validity period the CA certificate. The default value is 7 days. | ||
| - `.ca.renewBefore`: refers to how much time before the CA certificate expiration a new certificate should be issued. The default value is 7 days * 0.2. | ||
| - `.server.duration`: refers to the validity period of server certificates (e.g. virt-api, virt-handler, virt-operator, etc.). The default value is 1 day. | ||
| - `.server.renewBefore`: refers to how much time before the server certificates expire a new certificate should be issued. The default value is 1 day * 0.2. | ||
|
|
||
| ## Triggers for Certificate Rotation | ||
| The following conditions can trigger certificate rotation in KubeVirt, note that this list highlights key triggers and is not exhaustive. | ||
| - Missing Certificates: If a certificate doesn’t exist. | ||
| - Invalid CA Signature: If a certificate wasn’t signed by the specified CA. | ||
| - Proactive Renewal: Certificate is within the `renewBefore` period before expiration. | ||
| - CA Expiration: If the CA certificate expires, the certificate signed by the CA will also be rotated. | ||
|
|
||
| ## References | ||
| - https://kubevirt.io/2020/KubeVirt-Security-Fundamentals.html | ||
| - https://github.com/kubevirt/kubevirt/blob/v1.1.1/pkg/virt-operator/resource/generate/components/secrets.go#L326 | ||
| - https://github.com/kubevirt/kubevirt/blob/v1.1.1/pkg/virt-operator/resource/apply/certificates.go |