Open duffney opened 8 months ago
cc: @susanshi
Hi @duffney Josh, The certificate store reconcile is only triggered when the CR is modified. In the case of permission change, since the action is external to ratify, customer would need to manually trigger a fetch operation by deleting and applying the CR again. I will add a TSG for this work around , thank you for the submitting this feedback.
It is also an option to implement to scheduled sync, we will need to discuss if this setting should be configurable, and the if certificate should be evited if fetch operation fails.
TSG PR submitted for review :https://github.com/deislabs/ratify-web/pull/28
@susanshi @akashsinghal I would like to discuss this issue in the community meeting this week.
Hi @duffney , the secrets store csi driver supports auto rotation, we could see if there are anything we could reference from their design.
What happened in your environment?
I installed Ratify on my AKS cluster before the appropriate access policy was assigned to the managed identity used by Ratify to connect to an Azure Key Vault instance. Once I noticed the issue, I assigned the appropriate access policy to the identity, but without a retry for the certificate fetch I was forced to uninstall and reinstall Ratify on the cluster. @akashsinghal mentioned it's also possible to delete the certstore-akv certificatestore to force a new fetch to occur.
What did you expect to happen?
I expected that Ratify would retry the fetch and resolve the cert issues.
What version of Kubernetes are you running?
1.26.3
What version of Ratify are you running?
v1.0.0
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this bug fix?
Steps to reproduce the error
cd terraform
,terraform init && terraform apply --auto-approve
az aks get-credentials --resource-group ${GROUP_NAME} --name ${AKS_NAME}