Extending OSM-injected pod’s client certificate lifetime

By default, client certificates made available to OSM sidecars are valid for 24 hours, after which, they should be rotated automatically by OSM. The lifetime can be modified, but there is zero documentation about it as of June 2023.

I had to dive into OSM’s source code to figure how this works. The duration can be defined using the following units:

Figure 1 – units extracted from the OSM code base
The biggest unit is the hour and by default, it is set to 24. Strangely enough, you’re offered to define up to the nanosecond…The maximum duration is sky high but you must respect a certain format, including comas etc. The ParseDuration function is in charge of validating the provided duration.

Beware that OSM will not complain if you provide an invalid value and will instead fall back to 24h.