Supporting certificate rotation in admission controllers #776
Labels
Comments
|
I think we probably want to have a page on kube.rs on the controller guide dedicated to this. Have linked this issue from kube-rs/website#5 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When implementing an admission controller, we run a warp/hyper server using TLS credentials from a
Secret(typically loaded from disk). These credentials can change at runtime (i.e. by cert-manager). Currently, such changes are not observed until the process is restarted (or maybe, more generally, until the server is discarded and rebuilt?).In Linkerd, we can probably work around this manually; and this is probably more of an issue for hyper/warp, but this seems like a general problem that will impact all admission controllers so it would be best for kube-rs's examples to provide guidance on how to support certificate rotation.
Note that we're using
native-tls, as we encountered a variety of Kubernetes environments that were incompatible with rustls. I expect that this deficiency exists in all TLS implementations, though.We (the Linkerd team) are happy to help make improvements when we figure out what they are, but I wanted to open an issue here to ensure that the kube-rs community is aware of this operational concern.
Related to linkerd/linkerd2#7519
The text was updated successfully, but these errors were encountered: