Dynamic certificate reloading for Terminating Gateways #8198
Labels
theme/certificates
Related to creating, distributing, and rotating certificates in Consul
theme/connect
Anything related to Consul Connect, Service Mesh, Side Car Proxies
theme/terminating-gw
Track terminating gateway work
Feature Description
Terminating Gateways can be configured with certificates for TLS origination to destination services.
These certificates are currently loaded from disk, and the path they are loaded from is not watched for changes. This means that is the certificates for any service are rotated, then Envoy needs to be restarted to pick them back up.
To avoid downtime, after a key/cert rotation users need to do a rolling restart or an Envoy hot-restart. Ideally neither of these would be required.
This could be achieved by specifying these key/cert files via the Envoy SDS API (Relevant Envoy PR). Envoy will subscribe to filesystem changed to resources watched by SDS, and update dynamically.
Note: it seems the watch will only trigger if there is an atomic symlink swap, not if individual files are updated. That would need to be documented.
The text was updated successfully, but these errors were encountered: