Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Do not use in-memory root for citadel #14512
If Citadel fails to update the CA-root stored in K8s secret, it uses an in-memory root for the cluster. This was introduced in very early stages to support testing Citadel in special environments (non-K8s). Now we should not support in-memory root, because the in-memory root is not sustainable for production usage. It may also cause issues in special scenarios. For example, when Citadel fails to read the existing CA-root secret, it may choose to generate a separate root cert and use it to issue certificates for the cluster, which conflicts with the existing root cert.