Comments (12)
ritazh
commented on May 29, 2024
2
+1 on supporting multiple bundles.
from cert-controller.
ahmetb
commented on May 29, 2024
1
What's the invariant that'd make restarting the pod pick up the new secret?
If anything, the same container will be just restarted by the container runtime on the same host (restartpolicy) and it will still see the same volume, no? And with that, it will miss the change event and keep using the same secret.
I think it would be a lot better to do something like cross signing, or expanding the CA list by keeping both old/new (prev/next) CA certs around.
from cert-controller.
maxsmythe
commented on May 29, 2024
1
+1 to having multiple bundles. Might be worth figuring out a way to gradually roll out the cert across processes too.
from cert-controller.
adrianludwin
commented on May 29, 2024
That's right, which is exactly why RestartOnSecretRefresh exists - it's probably faster to just kill the pod and let it restart
from cert-controller.
adrianludwin
commented on May 29, 2024
There's probably a better way but I'm not sure what it is and this worked well enough :)
from cert-controller.
adrianludwin
commented on May 29, 2024
I'm not sure. In my experience restarting the pod has always worked instantly. I feel like someone told me that once but it was some time ago...
Yup, serving up multiple certs would definitely be a cleaner way of doing this. Given that we set a default 10yr expiry period (IIRC), we were most concerned with the startup performance, where the original secret is effectively empty so there's zero chance of it working during the initial startup. Again, it wouldn't surprise me if cert-manager solved this in some much better way.
from cert-controller.
ahmetb
commented on May 29, 2024
In our setup we'd much rather not use cert-manager (it comes with multiple components/CRDs).
Similarly RestartOnSecretRefresh also doesn't work because it's too violent (drops requests, and we run some HA webhooks where simultaneously restarting all of them is a recipe for disaster).
I think developing a patch around keeping both CAs in the caBundle may solve the current downtime problem while the Secret propagates and is picked up.
from cert-controller.
adrianludwin
commented on May 29, 2024
sgtm in all cases except for the initial startup. @maxsmythe , @ritazh , wdyt?
from cert-controller.
yizha1
commented on May 29, 2024
Hi Folks, there is a similar issue deislabs/ratify#821. The mTLS is required between Gatekeeper and external data provider. By default, cert-controller is used to generate and rotate Gatekeeper's webhook certificate. In our case, the user manually rotated the certificate. It seems Kubernetes took about 60-90 seconds to propagate changes to Secrets. During this period of delay, the request being sent to external data provider will fail.
from cert-controller.
maxsmythe
commented on May 29, 2024
@acpana This could be interesting work.
from cert-controller.
acpana
commented on May 29, 2024
thanks for the tag max! I can have a look at this in my downtime from other projects. I will assign it to myself when I get to it. In the meantime, folks can feel free to jump on it if they have cycles.
from cert-controller.
dvob
commented on May 29, 2024
I also raised this problem a while ago. See #13 .
from cert-controller.
Related Issues (20)
- Failed to wait for cert-rotator caches to sync in non-leader elected instances HOT 2
- Rotator fails to compile with cotroller-runtime 0.18.1 HOT 1
- Error updating webhook with certificate
- Allow supporting both the new and old key in the webhook configs during key rotation
- Use 1 secret per webhook pod to store the public/private key pairs
- Allow for coordinated rotation of keys across multiple pods
- Add config options to control validity duration for generated certs
- What should the default cert validity duration be? HOT 1
- Need tag v0.2.0 for controller-runtime v0.7.0+ with go.mod HOT 1
- Delay when the certs are mounted and available for use HOT 8
- Create a new release that supports K8s 1.22+ HOT 4
- The webhook not start because of certFile check when deploy g8r out of cluster HOT 4
- rotator.AddRotator doesn't exit when the process is terminated HOT 1
- Recommended way to configure/run in multi-replica setting HOT 2
- Configure certificate validity duration
- Question on usefulness of RestartOnSecretRefresh
- Support multiple dnsNames HOT 4
- Ready channel is never signaled on non-leaders HOT 3
- Add support for the Gatekeeper External Data Provider HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-controller.