You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
HI, looks like Vault must be restarted to use new certs for etcd storage.
We use Vault in k8s with etcd as a storage with tls and cert-manager as a cert provider.
After rotating, certs are updated inside pod but Vault uses a previous one:
{"level":"warn","ts":"2022-11-14T10:54:51.021Z","logger":"etcd-client","caller":"v3@v3.5.0/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000857a40/#initially=[https://vault-etcd:2379]","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-11-14T10:54:36Z is after 2022-11-14T10:00:21Z\""}
All environment is unavailable until Vault pods are restarted.
Describe the solution you'd like
It would be great to have an option to allow Vault re-read certs from disk to make new connections or in case of connection errors.
Describe alternatives you've considered
Sending SIGHUP as it works for tls settings of Vault.
But it's not convenient in many k8s environments as you want to have automated procedures as much as possible. You need an additional controller that will watch changing of secrets and do a graceful restart (sending signals) of all Vault pods in a specific order.
It doesn't sound good.
Is your feature request related to a problem? Please describe.
HI, looks like Vault must be restarted to use new certs for etcd storage.
We use Vault in k8s with etcd as a storage with tls and cert-manager as a cert provider.
After rotating, certs are updated inside pod but Vault uses a previous one:
{"level":"warn","ts":"2022-11-14T10:54:51.021Z","logger":"etcd-client","caller":"v3@v3.5.0/retry_interceptor.go:62","msg":"retrying of unary invoker failed","target":"etcd-endpoints://0xc000857a40/#initially=[https://vault-etcd:2379]","attempt":0,"error":"rpc error: code = DeadlineExceeded desc = latest balancer error: last connection error: connection error: desc = \"transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2022-11-14T10:54:36Z is after 2022-11-14T10:00:21Z\""}
All environment is unavailable until Vault pods are restarted.
Describe the solution you'd like
It would be great to have an option to allow Vault re-read certs from disk to make new connections or in case of connection errors.
Describe alternatives you've considered
Sending SIGHUP as it works for tls settings of Vault.
But it's not convenient in many k8s environments as you want to have automated procedures as much as possible. You need an additional controller that will watch changing of secrets and do a graceful restart (sending signals) of all Vault pods in a specific order.
It doesn't sound good.
Additional context
Part of config:
Thanks in advance for any feedback or comments!
The text was updated successfully, but these errors were encountered: