-
Story
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
Strategic Product Work
-
2
-
False
-
None
-
False
-
OCPSTRAT-1104 - [etcd] manual rotation of etcd signer certs when the cluster is still online
-
-
-
ETCD Sprint 248, ETCD Sprint 249
Testing in ETCD-512 revealed that CEO does not react to changes in the CA bundle or the client certificates.
The current mounts are defined here:
https://github.com/openshift/cluster-etcd-operator/blob/60b7665a26610a095722d3b12b2bb08dcae6965f/manifests/0000_20_etcd-operator_06_deployment.yaml#L90-L106
A simple fix would be to watch the respective resources in a controller and exit the container on changes. This is how we did it with feature gates as well: (https://github.com/openshift/cluster-etcd-operator/blob/60b7665a26610a095722d3b12b2bb08dcae6965f/pkg/operator/starter.go#L174C1-L174C1)
If hot-reload would be feasible we should take a look at it, but it seems a larger refactoring.
AC:
- CEO needs to react (restart) when it detects changes in certificate related secrets
- add an e2e testcase for it