If you have an application running in a Kubernetes pod that uses relatively short-lived HTTPS certificates (like from Let’s Encrypt or Vault), and the application loads the certificates at startup, you may need to reroll (rollout restart) the deployment in order to trigger renewal of the certificates.
Some definitions:
- a is the lifetime of the certificate.
- b is the number of days before certificate expiry to start trying to renew the certificate, the renewal period.
- c is the number of days between each reroll.
- d is the number of times we expect a reroll to happen during a renewal period, a kind of safety factor. (In an ideal world, this would be 1, but sometimes CronJob rerolls aren’t triggered as expected.)
We know that the renewal period can at most be as long as the certificate lifetime, and we know that the reroll must happen at least once during the renewal period. We also know that if you reroll an infinite amount of times, the time period between rerolls becomes infinitely small. Thus, we end up with this formula:
In practice, you would set d to some value you feel comfortable with based on your experience, and then you can vary b according to your needs and come up with a c.
Or you could work the other way around and set c to a value that suits you (if you for example want a daily or weekly reroll for some purpose), in order to discover the ideal b.
This post also shows off a bit of MathML, which has been available in Firefox and Safari since 2011, but for some reason only arrived in Chromium-derived browsers in 2023.
Leave a Reply