From ee124042c2e433e4f2e5e15a6d5c0471c2abf039 Mon Sep 17 00:00:00 2001 From: Drew Wells Date: Thu, 2 May 2024 15:24:51 -0500 Subject: [PATCH] set refresh hint to 1/3 of default CA TTL value fixes #335 (#343) Signed-off-by: Drew Wells --- charts/spire/charts/spire-server/README.md | 1 + charts/spire/charts/spire-server/values.yaml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/spire/charts/spire-server/README.md b/charts/spire/charts/spire-server/README.md index d138be53c..7d94afd93 100644 --- a/charts/spire/charts/spire-server/README.md +++ b/charts/spire/charts/spire-server/README.md @@ -147,6 +147,7 @@ In order to run Tornjak with simple HTTP Connection only, make sure you don't cr | `federation.enabled` | Flag to enable federation | `false` | | `federation.bundleEndpoint.port` | Port value for trust bundle federation | `8443` | | `federation.bundleEndpoint.address` | Address for trust bundle federation | `0.0.0.0` | +| `federation.bundleEndpoint.refresh_hint` | Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. | `5m` | | `federation.tls.spire.enabled` | Use spire to secure the federation bundle endpoint | `true` | | `federation.tls.externalSecret.enabled` | Provide your own certificate/key via tls style Kubernetes Secret | `false` | | `federation.tls.externalSecret.secretName` | Specify which Secret to use | `""` | diff --git a/charts/spire/charts/spire-server/values.yaml b/charts/spire/charts/spire-server/values.yaml index ef9e65231..9149176cd 100644 --- a/charts/spire/charts/spire-server/values.yaml +++ b/charts/spire/charts/spire-server/values.yaml @@ -210,6 +210,8 @@ federation: port: 8443 ## @param federation.bundleEndpoint.address Address for trust bundle federation address: "0.0.0.0" + ## @param federation.bundleEndpoint.refresh_hint Hint used by federated servers on how often to refresh the bundle. CA TTL must be 3-5x the duration of this value to ensure public keys are loaded on federated servers prior to private key rotation on remote server. + refresh_hint: "5m" tls: spire: @@ -877,7 +879,7 @@ tornjak: issuer: "" ## @param tornjak.config.userManagement.audience UserManagement audience check audience: "" - + # Tornjak supports 3 connection types: `http`, `tls`, and `mtls`. # The connections are determined based on provided configuration # When `tlsSecret` is created in this chart namespace, the TLS connection is started