search

teamhephy / controller

Hephy Workflow Controller (API)
https://teamhephy.com
MIT License
14 stars 26 forks source link

proposal: atomic cert update #35

Open Cryptophobia opened 6 years ago

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:40

From @szymonpk on September 29, 2015 11:29

There is no way to do 'atomic' certificate update, if I do deis certs:remove tld.com && derts certs:add tld.crt tld.key. Cert is changed on routers disk but nginx isn't restarted. It's required to have few minutes pause between each command or do some strange workarounds (restart routers by hand or add/remove certs for other apps where downtime is acceptable, then configuration is reloaded as one).

I'm not sure which component should be modified to achieve this, can controller instrument routers? (request certificate refresh?)

Copied from original issue: deis/deis#4544

Copied from original issue: deis/controller#1223

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:40

From @krancour on October 1, 2015 11:30

Possibly the controller could be modified to publish an additional etcd key corresponding to each cert. The value of that key could be a hash or fingerprint of the cert. This would be updated as certs are added/modified. On the router side, where the cert is used in the nginx config, the value of that etcd key could be included (using confd as usual) as a comment. The overall effect would be that when a cert is updated, a corresponding change to the nginx config also happens automatically, which would also trigger confd to reload nginx config.