Uploaded image for project: 'OpenShift Etcd'
  1. OpenShift Etcd
  2. ETCD-516

CEO needs to react on changing CA cert bundle and client certs

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • 2
    • False
    • None
    • False
    • OCPSTRAT-1104 - [etcd] rotation of etcd signer certs when the cluster is still online
    • ETCD Sprint 248, ETCD Sprint 249

      Testing in ETCD-512 revealed that CEO does not react to changes in the CA bundle or the client certificates.

      The current mounts are defined here:
      https://github.com/openshift/cluster-etcd-operator/blob/60b7665a26610a095722d3b12b2bb08dcae6965f/manifests/0000_20_etcd-operator_06_deployment.yaml#L90-L106

      A simple fix would be to watch the respective resources in a controller and exit the container on changes. This is how we did it with feature gates as well: (https://github.com/openshift/cluster-etcd-operator/blob/60b7665a26610a095722d3b12b2bb08dcae6965f/pkg/operator/starter.go#L174C1-L174C1)

      If hot-reload would be feasible we should take a look at it, but it seems a larger refactoring.

      AC:

      • CEO needs to react (restart) when it detects changes in certificate related secrets
      • add an e2e testcase for it

            tjungblu@redhat.com Thomas Jungblut
            tjungblu@redhat.com Thomas Jungblut
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: