Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Watch ambassador-certs and ambassador-cacert secrets to avoid need to restart Ambassador #474

Closed
adrienjt opened this issue May 29, 2018 · 5 comments
Closed

Watch ambassador-certs and ambassador-cacert secrets to avoid need to restart Ambassador #474

adrienjt opened this issue May 29, 2018 · 5 comments

Comments

@adrienjt
Copy link

When setting up TLS termination following https://www.getambassador.io/user-guide/tls-termination, it took me a while to realize that I needed to restart Ambassador for it to detect the ambassador-certs secret I had created. The same way ambassador/kubewatch.py watches services for annotation changes, it could watch the ambassador-certs secret (and the ambassador-cacert secret while we're at it).

The watch loops would run concurrently. The official Kubernetes client isn't asyncio-friendly at the moment https://github.com/kubernetes-client/python/issues?utf8=%E2%9C%93&q=asyncio, but concurrent.futures with threads or raw threading would do the trick. If time allows, this multi-watch logic could be implemented upstream in the Kubernetes client: kubernetes-client/python#30

In the meantime, a bold warning in the documentation would be helpful.
@richarddli
Copy link
Contributor

Thanks for the bug report. This makes sense. If you're able to do a documentation PR on the TLS guide, that would be greatly appreciated.

adrienjt pushed a commit to adrienjt/ambassador that referenced this issue May 31, 2018
warning: deployment must be restarted when TLS secret is added or cha…
75e7b12 
…nged

mitigates emissary-ingress#474
@adrienjt adrienjt mentioned this issue May 31, 2018
Merged
@richarddli richarddli mentioned this issue Jun 11, 2018
Closed
@kevinohara80
Copy link

I'm curious if this is something that's being looked at as a roadmap item? We're trying to avoid having to build tooling around this or switch gateways. LetsEncrypt (via cert-manager) is going to rotate our cert every 90 days and automatically update ambassador-certs.

@kflynn
Copy link
Member

kflynn commented Jun 27, 2018

@kevinohara80 Very much so! We've actually been sorting out the path forward on Ambassador's roadmap just recently, so I expect to have a better sense of exactly when this will get handled shortly.

@concaf concaf mentioned this issue Jun 27, 2018
Closed
@concaf
Copy link
Contributor

concaf commented Jun 27, 2018

@KowalczykBartek volunteered to work on this earlier today 🎉

@KowalczykBartek KowalczykBartek mentioned this issue Sep 19, 2018
Closed
@kflynn
Copy link
Member

kflynn commented Jan 29, 2019

Done in RC6.

@kflynn kflynn closed this as completed Jan 29, 2019
LukeShu pushed a commit that referenced this issue Mar 19, 2019
warning: deployment must be restarted when TLS secret is added or cha…
9d1bb6f 
…nged

mitigates #474
LukeShu pushed a commit that referenced this issue Mar 31, 2019
warning: deployment must be restarted when TLS secret is added or cha…
d809504 
…nged

mitigates #474
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@kevinohara80 @kflynn @concaf @richarddli @adrienjt