Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow updating CA files at runtime #13679

Open
markylaing opened this issue Jun 28, 2024 · 0 comments
Open

Allow updating CA files at runtime #13679

markylaing opened this issue Jun 28, 2024 · 0 comments
Labels
Feature New feature, not a bug Improvement Improve to current situation

Comments

@markylaing
Copy link
Contributor

Currently when using PKI mode the server.ca and ca.crl files must be present at daemon start up.

It is already possible to replace the cluster certificate at runtime via /1.0/cluster/certificate. This writes the cluster certificate to disk and updates the network certificate on the TLS listener (and forwards the request to other cluster members to do the same).

We can improve PKI mode by allowing a similar update of the server.ca and ca.crl files. In particular for the ca.crl, this would allow certificate revocation without restarting LXD.

This can be in the form of a PATCH /1.0/cluster/certificate endpoint which only updates non-empty fields, and includes cluster_key, cluster_cert, cluster_ca, and cluster_crl fields.
@markylaing markylaing added Feature New feature, not a bug Improvement Improve to current situation labels Jun 28, 2024
@tomponline tomponline changed the title Allow updating CA files at runtime. Allow updating CA files at runtime Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature New feature, not a bug Improvement Improve to current situation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@markylaing