We found an issue where the CA certificate on local disk is not reloaded when it is changed.
To reproduce;
Configuration contains a faulty/invalid CA certificate at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
Vault is started and configured to use local CA certificate (kubernetes_ca_cert not set, disable_local_ca_jwt false)
Try to login with a service account => fail
Change the CA to valid one
Try to login again => fail (should succeed)
Similar problem could happen when Kubernetes API Server changes the server certificate issuer (the CA). Then the Kubernetes Auth Plugin is not reloading the TLSConfig to take the new CA into use.
Root cause is similar as #169. The cached HTTP Client TLSConfig is only set at initialization and at 'config write', but local CA file can theoretically change at any time.
We found an issue where the CA certificate on local disk is not reloaded when it is changed.
To reproduce;
Similar problem could happen when Kubernetes API Server changes the server certificate issuer (the CA). Then the Kubernetes Auth Plugin is not reloading the TLSConfig to take the new CA into use.
Root cause is similar as #169. The cached HTTP Client TLSConfig is only set at initialization and at 'config write', but local CA file can theoretically change at any time.