Extending OSM-injected pod’s client certificate lifetime
    • Dark
      Light
    • PDF

    Extending OSM-injected pod’s client certificate lifetime

    • Dark
      Light
    • PDF

    Article Summary

    #ServerlessTips - Open Service Mesh
    Author: Stephane Eyskens, Azure MVP

    By default, client certificates made available to OSM sidecars are valid for 24 hours, after which, they should be rotated automatically by OSM. The lifetime can be modified, but there is zero documentation about it as of June 2023.

    I had to dive into OSM’s source code to figure how this works. The duration can be defined using the following units:

    download 99

    Figure 1 – units extracted from the OSM code base
    The biggest unit is the hour and by default, it is set to 24. Strangely enough, you’re offered to define up to the nanosecond…The maximum duration is sky high but you must respect a certain format, including comas etc. The ParseDuration function is in charge of validating the provided duration.

    Beware that OSM will not complain if you provide an invalid value and will instead fall back to 24h.

    MicrosoftTeams-image 491


    Was this article helpful?