[Feature request]: Support reloading TLS certificates #678
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
What would you like to be added?
The TLS certificates for the server are loaded only once on startup, see here. This means if the certificate is rotated (e.g. due to expiry), the server will not pick up the new certificate.
Instead, the certificate should be reloaded when the file on disk changes.
Why is this needed?
The
kube-apiserver
process can't start if the file specified in--authentication-token-webhook-config-file
does not exist.This makes relying on the server to provision certificates a problem during bootstrapping - the apiserver needs the config file to start, and the daemonset needs the apiserver to be up to be deployed.
One way around this is to provision the certificate with some external system, which is then also responsible for rotating the certificate when it is about to expire.
Anything else we need to know?
Certificate reloading functionality is available in the certwatcher package. I'm happy to open a PR integrating this.
The text was updated successfully, but these errors were encountered: