-
|
We are currently planning a productive Talos Linux cluster. I am currently working on our security concept. I saw in the Talos documentation that the cluster CA is valid for ten years by default. This means that there is a possibility that this CA can lose its validity in the lifetime of the cluster. Is there any way to extend or replace the CA without having to rebuild the cluster. Or is there a simple workaround? I couldn't find any information about it in the documentation, just an idea that probably hasn't been implemented yet. The other question is whether replacing the CA is security relevant at all. From your point of view, can the CA remain in place for 100 years? Many thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Talos is around only for ~5 years, so 10 years is more than enough for any Talos cluster. We plan to implement CA rotation well before the 10 years of Talos existence ;) Today the CA can be replaced but it won't be graceful, but with graceful process the process can be fully automated. |
Beta Was this translation helpful? Give feedback.
-
|
That's true, of course. However, talosctl offers the possibility to shorten this period. Therefore my question ;-) Is this topic already on the roadmap? Unfortunately, I could not find anything in the issues. |
Beta Was this translation helpful? Give feedback.
-
|
CA lifetime is hardcoded, but certificate validity can be controlled for some certificates. The topic is on the roadmap, but no date is available right now. |
Beta Was this translation helpful? Give feedback.
Talos is around only for ~5 years, so 10 years is more than enough for any Talos cluster.
We plan to implement CA rotation well before the 10 years of Talos existence ;)
Today the CA can be replaced but it won't be graceful, but with graceful process the process can be fully automated.