You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This commit was created on GitHub.com and signed with GitHub’s verified signature.
What's new
Edge TLS certificates now rotate without downtime. When a certificate is renewed (for example by cert-manager), the operator updates Envoy on the VPS in place, with no dropped connections and no restart. Previously a renewed certificate was copied to the VPS but Envoy kept serving the old one until it expired, which could take a TLS listener down. If you use TLS offload or mutual mode, you no longer need to do anything on renewal.
Fixes
PortBindings no longer leak across namespaces. If you had two EdgeNodes with the same name in different namespaces, a PortBinding could be applied to the wrong one. Bindings are now matched by both name and namespace.
Private keys are cleaned up when you remove a TLS binding. Deleting a TLS PortBinding (or switching it away from offload/mutual) now removes its certificate and key from the VPS, instead of leaving them on disk until the node is deleted.
Upgrade notes
No configuration or CRD changes are required. After upgrading, EdgeNodes reconcile and move existing TLS bindings to the new mechanism automatically. Old certificate files left on the VPS by previous versions are cleaned up on the next reconcile.