Self signed certificate lifetime
Self signed certificates generated by the secret operator usually have a short lifetime of 24 hours. In practice this means that Pods have to be restarted daily in order to avoid using expired certificates. But in high load production environments, reloading Pods can be a costly operation. It can disrupt services and in some cases even lead to data loss. To avoid frequent restarts, the lifetime of the self signed certificates can be increased as needed. Here is an example for configuring the lifetime of self signed certificates to 7 days in a HDFS stacklet:
---
apiVersion: hdfs.stackable.tech/v1alpha1
kind: HdfsCluster
metadata:
name: hdfs
spec:
nameNodes:
config:
requestedSecretLifetime: 7d (1)
roleGroups:
default:
replicas: 2
dataNodes:
config:
requestedSecretLifetime: 7d (2)
roleGroups:
default:
replicas: 2
journalNodes:
roleGroups:
default:
replicas: 3
config:
requestedSecretLifetime: 7d (3)| 1 | The lifetime of the self signed certificates for all NameNode groups is set to 7 days. |
| 2 | The lifetime of the self signed certificates for all DataNode groups is set to 7 days. |
| 3 | The lifetime of the self signed certificates for the default JournalNode group is set to 7 days. |
| The configuration for the journal nodes is done at group level for demonstration purposes. |
Even though operators allow setting this property to a value of your choice, the secret operator will not exceed the maxCertificateLifetime value specifed in the referenced secret class.
Similarly to the example above, users can configure the lifetime of self signed certificates for the following product Stacklets:
-
Apache Druid
-
Apache Hadoop
-
Apache HBase
-
Apache Nifi
-
Apache Spark
-
Apache Zookeeper
-
Trino