issue: openservicemesh/osm#4817
Webhooks that need updates:
Rotation subscriptions: https://github.com/openservicemesh/osm/blob/7abf10d787d37cbc79c207888e70248c3a9eef66/pkg/certificate/manager.go#L341
Cert management details: https://release-v1-2.docs.openservicemesh.io/docs/guides/certificates/
rotation steps: https://release-v1-2.docs.openservicemesh.io/docs/guides/certificates/#root-certificate-rotation
need to update webhook config bundle: https://github.com/openservicemesh/osm/blob/fa17242a34b39d87b6555774795563aede46efaa/pkg/validator/patch.go#L79
Questions:
- this is the root cert?
- should i be using MCR
- what webhook makes sense to try
- is there a cli to trigger cert rotation?
- examples of service to service rotation?
- do we need to store both for a time period?
- Cert rotation for a Service
- 24hrs: https://github.com/openservicemesh/osm/blob/28b32389bb8d792d2ac2f8ab8433b647a4a0926d/pkg/configurator/methods.go#L157
- looks like there a timer that runs and generates a event
- then SDS gets even and asks for a cert which calls the issuance again?
controller resync: https://groups.google.com/g/kubernetes-sig-api-machinery/c/PbSCXdLDno0
A resync is different than a relist. The resync plays back all the events held in the informer cache. A relist hits the API server to re-get all the data.
Since we introduced the rate limited work queue a few releases ago, the need to wait for a resync to retry has largely disappeared since an error during processing gets requeued on an incrementing delay.
Think of the resync as insurance. You probably want it set more than a few minutes, less than a few hours. If you're using requeuing correctly and avoiding panics, you aren't likely to benefit from rescanning all the data very often.