Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Increase mesh certificate key size #969

Open
6 of 9 tasks
strekm opened this issue Aug 8, 2024 · 1 comment
Open
6 of 9 tasks

Increase mesh certificate key size #969

strekm opened this issue Aug 8, 2024 · 1 comment
Labels
area/service-mesh Issues or PRs related to service-mesh kind/feature Categorizes issue or PR as related to a new feature.
Milestone
1.8.3

Comments

@strekm
Copy link
Collaborator

strekm commented Aug 8, 2024
edited by werdes72
Loading

Description

Increate certificate key size to 4096 bits by setting CITADEL_SELF_SIGNED_CA_RSA_KEY_SIZE Istio env variable.

ACs:

  • keys size length is 4096 bits
  • setting is documented

Reasons

DoD:

  • Provide unit and integration tests.
  • Provide documentation.
  • Verify if the solution works for both open-source Kyma and SAP BTP, Kyma runtime.
  • If you changed the resource limits, explain why it was needed.
  • If the default configuration of Istio Operator has been changed, you performed a manual upgrade test to verify that the change can be rolled out correctly.
  • Verify that your contributions don't decrease code coverage. If they do, explain why this is the case.
  • Add release notes.
@strekm strekm added kind/feature Categorizes issue or PR as related to a new feature. area/service-mesh Issues or PRs related to service-mesh labels Aug 8, 2024
@strekm strekm added this to the 1.8.3 milestone Aug 12, 2024
@werdes72 werdes72 self-assigned this Aug 14, 2024
@werdes72 werdes72 mentioned this issue Aug 20, 2024
Merged
1 task
@werdes72 werdes72 removed their assignment Aug 21, 2024
@videlov videlov self-assigned this Aug 22, 2024
@videlov videlov mentioned this issue Aug 22, 2024
Merged
1 task
@videlov videlov assigned werdes72 and unassigned videlov Aug 22, 2024
@strekm
Copy link
Collaborator Author

strekm commented Aug 30, 2024
edited
Loading

This change is effective for new installations. It needs to be investigated how we can enforce that for existing installations with certificates generated with weaker key. Proper planing might be needed in case operation is causing downtime.

@barchw barchw assigned barchw and unassigned barchw Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/service-mesh Issues or PRs related to service-mesh kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
1.8.3
Development

No branches or pull requests
4 participants
@werdes72 @videlov @strekm @barchw