search

crowdsecurity / crowdsec

CrowdSec - the open-source and participative security solution offering crowdsourced protection against malicious IPs and access to the most advanced real-world CTI.
https://crowdsec.net
MIT License
8.68k stars 447 forks source link

[crowdsec] TLS agent limitation on cert expiry #2810

Open LaurenceJJones opened 7 months ago

LaurenceJJones commented 7 months ago

What would you like to be added?

When using TLS authentication for "agents" there is a limitation that has been found with the way that we load the certificates, since we load the certs at startup time if the cert expires whilst the "agent" is running it will hit an infinite authentication failure "wall"

We need the "agent" to be smarter to self heal itself for example within k8's cert manager will automatically renew the certificate over the existing cert, however, the "agent" will try infinitely to re authenticate without reloading the certificates

Current workaround is killing the existing pods so that startup happens again, however, this is not an ideal solution when using short life certs

/kind enhancement

Why is this needed?

"agents" can be smarter about how to deal with a 401 response from LAPI when using certificate authentication

github-actions[bot] commented 7 months ago

@LaurenceJJones: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

  1. Check Crowdsec Documentation to see if your issue can be self resolved.
  2. You can also join our Discord.
  3. Check Releases to make sure your agent is on the latest version.
Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.
github-actions[bot] commented 7 months ago

@LaurenceJJones: There are no 'kind' label on this issue. You need a 'kind' label to start the triage process.

Details I am a bot created to help the [crowdsecurity](https://github.com/crowdsecurity) developers manage community feedback and contributions. You can check out my [manifest file](https://github.com/crowdsecurity/crowdsec/blob/master/.github/governance.yml) to understand my behavior and what I can do. If you want to use this for your project, you can check out the [BirthdayResearch/oss-governance-bot](https://github.com/BirthdayResearch/oss-governance-bot) repository.