-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add file watcher for TLS certificate files #501
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: afritzler The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Welcome @afritzler! |
Hi @afritzler. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
Initial thoughts: Some admins may want a security posture that disallows this, it could be better to opt-in to the new feature via flag (or at a minimum support an opt-out). We need to make sure this doesn't make #350 harder to implement (seems like it shouldn't). It would be nice to see some unit test coverage. |
/cc @tallclair |
@jkh52 thanks a lot for the feedback. Let me address the point of disabling the rotation + adding some test coverage. |
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@afritzler - see the effort at #577 (it would give you attribution, but 'EasyCLA check' does not pass. Can you fix that part?) |
- Add fsnotify dependency to go.mod - Add file watcher for certificate files in `cmd/agent/app/server.go` and `cmd/server/app/server.go` - Reload TLS config and credentials on certificate file change in `cmd/agent/app/server.go` and `cmd/server/app/server.go` - Refactor and clean up file watcher code in `cmd/agent/app/server.go` and `cmd/server/app/server.go` Signed-off-by: Andreas Fritzler <[email protected]>
b18e618
to
34f2fe7
Compare
@afritzler: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Thanks a lot for the update. I fixed the CLA issue. I guess we can close this PR in favor of #577. |
Currently the agent and server are not honouring the change of TLS certificates provided to them. This PR introduces a file watcher for both agent and server to restart the corresponding components in case there as been a change in the TLS certificates.
Changes
cmd/agent/app/server.go
andcmd/server/app/server.go
cmd/agent/app/server.go
andcmd/server/app/server.go
cmd/agent/app/server.go
andcmd/server/app/server.go