ChaosInTheCRD
commented
1 year ago brief update on this:
I have spent some time this morning writing some code to efficiently handle the cert / key pair hot-reloading. It's looking good but I need to test it and I also need to figure out a way of handling the refreshing of the gatekeeper CA cert.
When I have completed it for cosign gatekeeper provider rewrite I will raise it in a WIP PR for this repo 😄 .
Describe the solution you'd like Having spent some time working on an ExternalData Provider in the past, one thing that I spent some time on was working on hot reloading of certificates when they expire / are refreshed. From what I can tell it seems as though this would require the provider to be restarted.
Making sure that in the case of any of the certificates (provider's
tls.crt/tls.key, gatekeeper'sca.crt) that the new certificates are loaded in would be a nice addition in my opinion 😄.Some of this is mentioned in the Github issue here.
Anything else you would like to add: I plan on completing some in progress work to refresh the cosign gatekeeper provider. It might be a good goal to try to standardise the code wherever possible for ease of future contribution? Just an idea.