Consider adding WatchConfig and automatic reload for CA secrets - Githubissues

bank-vaults / vault-secrets-webhook

A Kubernetes mutating webhook that makes direct secret injection into Pods possible.

https://bank-vaults.dev/docs/mutating-webhook/

Apache License 2.0

39 stars 17 forks source link

Consider adding WatchConfig and automatic reload for CA secrets #310

Open jansobczak opened 6 months ago

jansobczak commented 6 months ago

Preflight Checklist

[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.
[X] I agree to follow the Code of Conduct.

Problem Description

When using cert-manager as CA provider for webhook in line https://github.com/bank-vaults/vault-secrets-webhook/blob/5c5715ab5c44f92136ebade5bb6118063b009275/main.go#L175 this CA is read but when CA rotates this require a rollout of the webhook deployment

Proposed Solution

Use the WatchConfig() in viper library to detect change in the file and reload vault-secrets-webhook

Alternatives Considered

No response

Additional Information

No response

ramizpolic commented 5 months ago

Thanks for raising this @jansobczak! If you have some time to assist on this, would be quite helpful. Let us know so we can plan ahead.