Extending OSM-injected pod’s client certificate lifetime
    • Dark
      Light
    • PDF

    Extending OSM-injected pod’s client certificate lifetime

    • Dark
      Light
    • PDF

    Article summary

    #ServerlessTips - Open Service Mesh
    Author: Stephane Eyskens, Azure MVP

    By default, client certificates made available to Open Service Mesh (OSM) sidecars are valid for 24 hours, after which, they should be rotated automatically by OSM. The lifetime can be modified based on specific requirements, but there is zero documentation available about it as of June 2023.

    I had to dive into Open Service Mesh’s source code to figure how this works. The duration can be defined by using the following units shown in the image:

    download 99

    Figure 1 – units extracted from the OSM code base

    The biggest unit is the hour and by default, it is set to 24. Strangely enough, you are offered to define up to the nanosecond…The maximum duration is sky high, but it is important that you respect a certain format, including comas, etc. The ParseDuration function is in charge of validating the provided duration.

    Beware that Open Service Mesh will not complain if you provide an invalid value and will instead fall back to 24h.

    MicrosoftTeams-image 491


    Was this article helpful?