Closed orozery closed 1 month ago
The client-side controlplane (the importer) terminates those controlplane connections when switching certificates.
Am I reading this correctly: When the client side control plane has a new certificate, it will re-establish (and therefore reauthenticate) control connections to remote peers.
This does not refer to existing workload-to-workload connections which are kept intact. Correct?
The client-side controlplane (the importer) terminates those controlplane connections when switching certificates.
Am I reading this correctly: When the client side control plane has a new certificate, it will re-establish (and therefore reauthenticate) control connections to remote peers.
This does not refer to existing workload-to-workload connections which are kept intact. Correct?
Correct
This PR changes the controlplane to watch the peer certificate files for changes, in order to support dynamic peer certificates.
Note that when switching TLS certificates, existing connections are still valid. The client-side controlplane (the importer) terminates those controlplane connections when switching certificates. However, if only the server switches certificates, the server will continue to allow authz connections, which will be dropped only at the tunnel establishment phase (where a new connection is used).