Automatic reload of certificates

[dren-dk]

I've seen SslReloadBundle, but that seems like it places the burden of noticing that certificates have changed on some external daemon, when it might as well be handled internally.

In my use case, as I suspect many others, certificates are rotated by an external daemon such as cert-manager that simply replaces the certificates when they are about to expire and that daemon doesn't particularly have a need to know about the consumer of the certificate.

The true Kubernetes way to consume certificates would be to use the API server to watch the certificate resource and reload it when it changes, but that comes with a somewhat heavy burden of having to depend on the k8s api, when that might not otherwise be needed.

I think the simplest solution is to simply mount the TLS secret in the filesystem and load the certificates from the file system and then periodically poll the files for changes.

For my own dropwizard-kubernetes-https module I've implemented a very simple automatic ssl reloader that does not need an external daemon to poke the server to reload the certificates and I wonder if something like this is a candidate for core?

https://gitlab.com/dren.dk/dropwizard-kubernetes-https/-/tree/main/src/main/java/dk/dren/dw/k8s/https/reloader

[zUniQueX]

@dren-dk This sounds like an interesting idea. But as you have found a solution for yourself, I think this is more sort of a discussion instead of an issue. We could firstly determine, if there would be interest in having this in the framework and how this should be integrated then.

[dren-dk]

Yes, it's certainly a discussion.

I think it's a rather low impact thing to add and it can be done quite cleanly for the other HttpsConnectorFactories.

I think another worth-while addition would be a resource on the admin connector for forcing a poll for changed certificates, which can be used if someone has a very specific idea about when they'd like to reload the certificates.

The reason I like this approach more than the SslReloadBundle is that it automatically knows which files to watch for changes and doesn't need some external daemon to do that.

[zUniQueX]

Maybe we could extend the existing task on the admin connector to only reload, if the certificates have changed.

An other option we could easily integrate would be to provide a ScheduledExecutorService periodically reloading certificates. If one knows the interval, in which certificates are updated, this would also be a clean option IMO.