Extending OSM-injected pod’s client certificate lifetime

By default, client certificates made available to Open Service Mesh (OSM) sidecars are valid for 24 hours, after which, they should be rotated automatically by OSM. The lifetime can be modified based on specific requirements, but there is zero documentation available about it as of June 2023.

I had to dive into Open Service Mesh’s source code to figure how this works. The duration can be defined by using the following units shown in the image:

Figure 1 – units extracted from the OSM code base

The biggest unit is the hour and by default, it is set to 24. Strangely enough, you are offered to define up to the nanosecond…The maximum duration is sky high, but it is important that you respect a certain format, including comas, etc. The ParseDuration function is in charge of validating the provided duration.

Beware that Open Service Mesh will not complain if you provide an invalid value and will instead fall back to 24h.