New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for dynamic tls updates on configuration preload #4022
Check for dynamic tls updates on configuration preload #4022
Conversation
This comment has been minimized.
This comment has been minimized.
We are running into a similar issue where cert-manager updates the secrets but the Traefik pods need to be explicitly killed. I had a question on this part though:
Should you have to touch the toml file at all? Should a modification to the TLS files be all that's needed? If not, what aspect in the cert-manager update process will touch the toml file to trigger a reload in traefik? |
@dbachrach that is proposed/discussed here: #3083 and is more of an enhancement. If you read through the issue there is a small explanation on why this mechanism (touching the toml file) was picked. This PR is just trying to solve the bug that is linked in the description. Arguably this is still not going to be the ideal approach in our (and your) case as you still have to run a sidecar to watch the certs (i am using |
Is there anything we can do to help this one progress? We are happy to review code if there are any concerns or anything similar. It is just holding us to migrate from tls termination on elbs as we would have to go and manually restart traefiks every couple of months which can be disturbing. |
c6ec8cc
to
16884fc
Compare
16884fc
to
4ad5105
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you for your PR. I think that this is better to replace file path with the content directly in the provider file. With this, it will fix the bug because the I did the modification in order to merge it in the next bug fix release. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
What does this PR do?
Changes to look for tls certificate changes during
preLoadConfiguration
function. The aim is to solve issue: #3272 and make reload configuration because of cert changes whentouch
toml files.Motivation
We are hitting this issue because we run an HA traefik setup in a kubernetes cluster and we use
cert-manager
to manage/update certificates. Each time a certificate is updated we have to go and restart traefik instances atm.More
added one test
TestListenProvidersPublishWhenTLSCertChange
under server/server_tests.go that loads a conf that includesTLS
, then provides the same conf 2 times and expect no changes and finally rewrite new certs and provide the same conf that should trigger a reload.