You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Start spire-server with some X default_x509_svid_ttl and reasonable Y server CA TTL. spire-server should also be making use of .data journaling of its CAs. For specific values, let's say X is two days and Y is 24 days.
spire-server should come up healthy
Turn down spire-server, and update default_x509_svid_ttl and server CA to much higher values. For specifics, let's say 14 days and 168 days, respectively.
Reality:
spire-server will spawn up fine, but will print warnings like default_x509_svid_ttl is too high. SVIDs with shorter lifetimes may be issued. Please set default_x509_svid_ttl to ${internal_value} or less to guarantee the full default_x509_svid_ttl lifetime when CA rotations are scheduled.
spire-server is now in state of potentially truncating svid TTLs until it naturally rotates, which could be a while, especially if under the shorter CA TTL the next CA was already prepated.
Expectation:
When spire-server's CA TTL config is extended, this should be detected by spire-server. It should make an effort to:
prepare a next CA (even if one already exists) using the new TTL.
On success of above, rotate to that new CA.
Prior to any of the successes above, we are still issuing SVIDs under old shorter CA- a further but likely more difficult enhancement would be to flag those for re-signing within the ecosystem in some way, though this may not strictly be necessary.
Result:
With (1) and (2) at least, spire-server will more quickly get its own CA in order with configuration, and thus leaf SVIDs will be signed with their new potentially longer TTLs more quickly as well.
(3) would be significant work and may not be worthwhile. But I think the rest may be somewhat straightforward?
Workaround:
Purge spire-server's .data directory and restart.
The text was updated successfully, but these errors were encountered:
Steps:
default_x509_svid_ttl
and reasonable Y server CA TTL. spire-server should also be making use of.data
journaling of its CAs. For specific values, let's say X is two days and Y is 24 days.default_x509_svid_ttl
and server CA to much higher values. For specifics, let's say 14 days and 168 days, respectively.Reality:
spire-server will spawn up fine, but will print warnings like
default_x509_svid_ttl is too high. SVIDs with shorter lifetimes may be issued. Please set default_x509_svid_ttl to ${internal_value} or less to guarantee the full default_x509_svid_ttl lifetime when CA rotations are scheduled.
spire-server is now in state of potentially truncating svid TTLs until it naturally rotates, which could be a while, especially if under the shorter CA TTL the
next
CA was already prepated.Expectation:
When spire-server's CA TTL config is extended, this should be detected by spire-server. It should make an effort to:
next
CA (even if one already exists) using the new TTL.Result:
With (1) and (2) at least, spire-server will more quickly get its own CA in order with configuration, and thus leaf SVIDs will be signed with their new potentially longer TTLs more quickly as well.
(3) would be significant work and may not be worthwhile. But I think the rest may be somewhat straightforward?
Workaround:
Purge spire-server's
.data
directory and restart.The text was updated successfully, but these errors were encountered: