gRPC Client Certificate Refresh Interval is not respected #162
Comments
joeljeske
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
joeljeske
changed the title
As reported in buildbarn/bb-clientd#7
#149 added support for using client and server certificates from files on disk, for both gRPC and HTTP connections. It also added support for refreshing these certificates on an interval.
Specifically For gRPC Client certificates, the rotation is not working as intended. The original certificate is used for the duration of the process.
This is due to the same issue seen here, grpc/grpc-go#5791, where tls.Config.GetClientCertificate is not respected within grpc-go. The solution is documented to use advancedtls.NewServerCreds instead of credentials.NewTLS.
Currently, we cannot easily switch to this alternate API, since it drops support for configuring MinTLS Version as well as TLS CipherSuites and thus would be a breaking change. There is an open ticket grpc/grpc-go#5667 for adding support for configuring CipherSuites with
advancedtls, but until then, grpc client certificates will not properly rotate.The text was updated successfully, but these errors were encountered: