Uploaded image for project: 'Couchbase Kubernetes'
  1. Couchbase Kubernetes
  2. K8S-1551

Rotate TLS over TLS

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Critical
    • 2.1.0
    • None
    • operator
    • 5

    Description

      We rectify TLS in plaintext because our client certificates may have been rotated while we are down and we are now unable to communicate with Server. Which is all well and good with the exception that your admin username and password are going over the wire in the nude.

      With password rotation, we persist the last known working password so that we can use this upon restart in case pesky users have changed it in the mean time. Thus we can talk to CBS with the old one and rotate to the new one.

      Using a similar technique, we can cache the last known valid TLS CA, and client chain/key pair and use this. I'm almost certain we may need to sacrifice some get-out-of-jail free cards but to say 100% for certain that noting happens over plaintext I'm happy to take the fall.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            simon.murray Simon Murray
            simon.murray Simon Murray
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty