-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[How can I make my services to use renewed certificates automatically?] #58
Comments
Most of the servers will require you to send a signal so they can re-read the configuration and use the new certificates. The best way to achieve that is to include in your image an inotify-based tool that monitors the certificates and reloads the configuration in the server. See for example how We're also discussing alternatives that can allow you to modify the renewer scripts and do that there, but solutions like that will likely require you to include |
@maraino Right, thank you, I will try them out and let you know! |
My code-server is running as above in a pod and the code-server doesn't seem to provide any reload/restart options. |
That's an option but if you control the code of that code-server you can make it work, let me look for some docs. |
@imageschool I believe you can use something like this nodejs/node#15115 (comment) to reload a new secure context when the files change, and you can monitor the files changes using an API like https://nodejs.org/docs/latest/api/fs.html#fswatchfilename-options-listener |
Closing this issue for now. Feel free to open a discussion on https://github.com/smallstep/certificates/discussions if you need more help on this. |
@maraino Did you mean I have to manually change the code-server (Visual Studio Code Server, open-source)'s source code? For example, using https://hub.docker.com/r/linuxserver/code-server as a base image and manually modifying its code-server/src/node/app.ts to add file watch feature & node reload script and build my own image? I am not very familiar with your idea so I would really appreciate it if you can give me more detail on how I should approach it! |
I resolved the issue by increasing the duration to one year in Configmap by following below. |
Subject of the issue
I have installed 'autocert' through the helm chart, which works very well. (Thank you to the community)
I am then providing these certificates to my other k8s services such as code-server or Elastic Kibana so they can have the TLS support. I know that the maximum duration of the certificate is 24h and the renewer is renewing them, however, how can I let those services pick up the new certificate instead of the old one?
Unless I restart the pod, they are still using the old certificate, i.e expired.
For an alternative solution, I also tried to adjust the duration of the certificate to one year by following this issue, but somehow the certificates are not being injected by the admission webhook.
Environment
rke2 version v1.22.9+rke2r2 (d7c26a45b92cf3f76c063e93f8c6448fde7b2456) go version go1.16.14b7
AWS EC2
Steps to reproduce
Tell us how to reproduce this issue
Expected behaviour
Tell us what should happen
Actual behaviour
Tell us what happens instead
Additional context
Add any other context about the problem here
The text was updated successfully, but these errors were encountered: