Skip to content

Mount tls secrets using projected volume not subpath #524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 16, 2020
Merged

Mount tls secrets using projected volume not subpath #524

merged 2 commits into from
Dec 16, 2020

Conversation

@ChunyiLyu
Copy link
Contributor

@ChunyiLyu ChunyiLyu commented Dec 11, 2020

This closes #506

Note to reviewers: remember to look at the commits in this PR and consider if they can be squashed

Summary Of Changes

Additional Context

Local Testing

Please ensure you run the unit, integration and system tests before approving the PR.

To run the unit and integration tests:

$ make unit-tests integration-tests

You will need to target a k8s cluster and have the operator deployed for running the system tests.

For example, for a Kubernetes context named dev-bunny:

$ kubectx dev-bunny
$ make destroy deploy-dev
# wait for operator to be deployed
$ make system-tests

@ChunyiLyu ChunyiLyu marked this pull request as draft December 14, 2020 10:27
@ChunyiLyu
Mount tls secrets using projected volume not subpath
8427c41 
- secrets and configmaps mounted with subpath do not
not get updated in pods when changed, as reported in
issue: kubernetes/kubernetes#50345
- RabbitMQ itself supports TLS credential rotation without restart.
By mounting tls secrets without using subpath, rabbitmq pods
will pick up cert changes and support tls rotation
without server restart.
- certificate rotation tested in system tests
@ChunyiLyu ChunyiLyu marked this pull request as ready for review December 15, 2020 19:03
@ChunyiLyu
Use Expect/EventuallyWithOffset in system_tests/utils
f481878 
- we should use Expect and Eventually with offset to
make sure that the stack trace points to the failing
line in system tests instead of the helper function
@mkuratczyk mkuratczyk self-requested a review December 16, 2020 12:16
mkuratczyk
mkuratczyk approved these changes Dec 16, 2020
View reviewed changes
Copy link
Contributor

@mkuratczyk mkuratczyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ChunyiLyu ChunyiLyu merged commit a637934 into main Dec 16, 2020
@ChunyiLyu ChunyiLyu deleted the tls-rotation branch December 16, 2020 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mkuratczyk mkuratczyk mkuratczyk approved these changes

@MirahImage MirahImage MirahImage approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add support for TLS rotation without node/cluster restart

4 participants

@ChunyiLyu @mkuratczyk @MirahImage