Details
-
Story
-
Resolution: Done
-
Undefined
-
None
-
None
-
False
-
None
-
False
-
OCPSTRAT-193 - Automatically restart storage operators pods when the CA certificates are updated
Description
1. The pod `vmware-vsphere-csi-driver-controller` mounts the secret:
$ oc get po -n openshift-cluster-csi-drivers vmware-vsphere-csi-driver-controller-8467ddf4c-5lgd8 -o yaml
...
containers:
name: driver-kube-rbac-proxy
name: provisioner-kube-rbac-proxy
name: attacher-kube-rbac-proxy
name: resizer-kube-rbac-proxy
name: snapshotter-kube-rbac-proxy
name: syncer-kube-rbac-proxy
volumeMounts:
- mountPath: /etc/tls/private
name: metrics-serving-cert
volumes:
- name: metrics-serving-cert
secret:
defaultMode: 420
secretName: vmware-vsphere-csi-driver-controller-metrics-serving-cert
Hence, if the secret is updated (e.g. as a result of CA cert update), the Pod must be restarted.
2. Similarly, the pod `vmware-vsphere-csi-driver-webhook` mounts another secret:
$ oc get po -n openshift-cluster-csi-drivers vmware-vsphere-csi-driver-webhook-c557dbf54-crrxp -o yaml
...
containers:
name: vsphere-webhook
volumeMounts:
- mountPath: /etc/webhook/certs
name: certs
volumes:
- name: certs
secret:
defaultMode: 420
secretName: vmware-vsphere-csi-driver-webhook-secret
Again, if the secret is updated (e.g. as a result of CA cert update), the Pod must be restarted.