Possible to set default max lifetime for TLS cert with autocert

[maxliu007]

Right place to talk about autocert as well?
I would like to find out how to configure the max lifetime (> 24 hours) of generated tls certs for a provisioner or globally with autocert in k8s on the following scenarios:

1. During installation of autocert
2. After installation of autocert

[maraino]

Right place to talk about autocert as well?

Yes, we've decided to centralize all discussions here so it's easy to find them.

The solution is to configure "claims" inside the "authority" or the "provisioner" object in the ca.json, that is stored in a configmap, something like:

"claims": {
    "maxTLSCertDuration": "2160h",
    "defaultTLSCertDuration": "24h",
}

You can see some examples in https://smallstep.com/docs/step-ca/configuration

To give you more detailed instructions I need to know how are you installing autocert.

[maxliu007]

I am now using this command to install

kubectl run autocert-init -it --rm --image smallstep/autocert-init --restart Never

[maraino]

Ok with that command, the ca.json is in the configmap config of the step namespace. With the following commands I'm gonna get the files in that configmap (ca.json and defaults.json):

mkdir /tmp/config
cd /tmp/config
kubectl -n step get configmap config -o json | jq -r '.data."ca.json"' > ca.json
kubectl -n step get configmap config -o json | jq -r '.data."defaults.json"' > defaults.json

Now you have to edit the ca.json and add the claims property, inside the authority, it can look something like:

{
    "root": "/home/step/certs/root_ca.crt",
    ...
    "authority": {
        "claims": {
            "maxTLSCertDuration": "2160h",
            "defaultTLSCertDuration": "24h"
        },
        "provisioners": [
            ...
        ]
    },
    ...
}

Leave the rest of the configuration, just add the claims block, you can edit the values as you want, that configuration sets a maximum duration of 90 days, but a default of 24h. Make sure to always set both.

Now we are going to replace the configmap with the new one:

cd /tmp/config
kubectl -n step create configmap config --dry-run=client -o yaml --from-file . | kubectl replace -f -

You can check that the ca.json now has the claims block with:

kubectl -n step get configmap config -o json | jq -r '.data."ca.json"'

And finally just restart the ca pod:

kubectl -n step rollout restart deployment ca

From this moment you can configure the annotation autocert.step.sm/duration to values up to 2160h.

[maxliu007]

Thx, it works.
To automat the installation, we can further use this command to add the default claims:

kubectl -n step get configmap config -o json | jq -r '.data."ca.json"' | jq '.authority |= . + {"claims":{"maxTLSCertDuration":"2160h","defaultTLSCertDuration":"24h"}}' > ca.json