clux
commented
2 years ago I think we probably want to have a page on kube.rs on the controller guide dedicated to this. Have linked this issue from https://github.com/kube-rs/website/issues/5
Open olix0r opened 2 years ago
clux
commented
2 years ago I think we probably want to have a page on kube.rs on the controller guide dedicated to this. Have linked this issue from https://github.com/kube-rs/website/issues/5
When implementing an admission controller, we run a warp/hyper server using TLS credentials from a
Secret(typically loaded from disk). These credentials can change at runtime (i.e. by cert-manager). Currently, such changes are not observed until the process is restarted (or maybe, more generally, until the server is discarded and rebuilt?).In Linkerd, we can probably work around this manually; and this is probably more of an issue for hyper/warp, but this seems like a general problem that will impact all admission controllers so it would be best for kube-rs's examples to provide guidance on how to support certificate rotation.
Note that we're using
native-tls, as we encountered a variety of Kubernetes environments that were incompatible with rustls. I expect that this deficiency exists in all TLS implementations, though.We (the Linkerd team) are happy to help make improvements when we figure out what they are, but I wanted to open an issue here to ensure that the kube-rs community is aware of this operational concern.
Related to https://github.com/linkerd/linkerd2/issues/7519