Respond to TLS certificate/key changes without requiring a restart #101072
Labels
enhancement
New value added to drive a business result
impact:low
Addressing this issue will have a low level of impact on the quality/strength of our product.
loe:small
Small Level of Effort
Team:Core
Core services & architecture: plugins, logging, config, saved objects, http, ES client, i18n, etc
Team:Security
Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Comments
legrego
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
Note for posterity: Before I merged #53810 (in the 7.6 release), every time a certificate config value was read by a consumer, it was read off of the disk. So it was possible to change a certificate on the filesystem while Kibana was running, and get into a situation where some consumers were using the old cert, and some were using the new one. That PR included a change to read the cert off of disk when Kibana starts and keep the PEM file in memory. |
exalate-issue-sync
bot
added
impact:low
|
Closing in favor of #54368 |
pgayvallet
added
the
Team:Core
|
Pinging @elastic/kibana-core (Team:Core) |
|
Regarding reloading the Kibana<->ES certificates, proposal on how it could be done started here: #110082 (comment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana maintains a number of different TLS configuration settings:
SIGHUP#171823)TLS certificates and keys are generally stored on disk, read once on startup, and used for the lifetime of the process. Changes to these files will not be picked up until Kibana is restarted.
Elasticsearch has long supported reloading this configuration from disk -- we should explore the feasibility of similar support within Kibana, so that we can accept updated certificates/keys without a restart.
Support for this would greatly simplify certificate rotation in managed environments such as ESS and ECE
The text was updated successfully, but these errors were encountered: