Replies: 1 comment 2 replies
-
@dren-dk This sounds like an interesting idea. But as you have found a solution for yourself, I think this is more sort of a discussion instead of an issue. We could firstly determine, if there would be interest in having this in the framework and how this should be integrated then. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've seen SslReloadBundle, but that seems like it places the burden of noticing that certificates have changed on some external daemon, when it might as well be handled internally.
In my use case, as I suspect many others, certificates are rotated by an external daemon such as cert-manager that simply replaces the certificates when they are about to expire and that daemon doesn't particularly have a need to know about the consumer of the certificate.
The true Kubernetes way to consume certificates would be to use the API server to watch the certificate resource and reload it when it changes, but that comes with a somewhat heavy burden of having to depend on the k8s api, when that might not otherwise be needed.
I think the simplest solution is to simply mount the TLS secret in the filesystem and load the certificates from the file system and then periodically poll the files for changes.
For my own dropwizard-kubernetes-https module I've implemented a very simple automatic ssl reloader that does not need an external daemon to poke the server to reload the certificates and I wonder if something like this is a candidate for core?
https://gitlab.com/dren.dk/dropwizard-kubernetes-https/-/tree/main/src/main/java/dk/dren/dw/k8s/https/reloader
Beta Was this translation helpful? Give feedback.
All reactions