Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support monitoring CA rotation #1448

Open
mgagliardo91 opened this issue Jul 18, 2023 · 1 comment
Open

Support monitoring CA rotation #1448

mgagliardo91 opened this issue Jul 18, 2023 · 1 comment

Comments

@mgagliardo91
Copy link

We are currently deploying our SpiceDB cluster using the K8s operator and have it setup with a CA/TLS certificate for our clients to use when accessing it. Our CA's currently rotate every 90 days per our internal Ops standards. When they do, our internal services that talk to SpiceDB will pick up the change and reinitialize their client; however, SpiceDB does not currently reinitialize and will hold the value of the last, expired, certificate.

Without directly monitoring, this issue is only made apparent with an outage as our calls will start failing and erroring due to expired certificates, though the clients are using the new valid one.

Can SpiceDB support monitoring the CA cert as it does with the TLS certs? This would allow us to keep the rotation automated without worrying about kicking over pods ahead of each expiry or worrying about downtime during the rotation.

Thanks!
@ecordell ecordell transferred this issue from authzed/spicedb-operator Jul 18, 2023
@mgagliardo91
Copy link
Author

@ecordell is there any consideration in working this one? We have to keep remembering to kick over our pods when our CA expires

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mgagliardo91