Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatically refresh all allocator TLS certs, not just client CA cert #1599

Closed
adamhosier opened this issue Jun 1, 2020 · 2 comments · Fixed by #1638
Closed

Automatically refresh all allocator TLS certs, not just client CA cert #1599

adamhosier opened this issue Jun 1, 2020 · 2 comments · Fixed by #1638
Labels
help wanted We would love help on these issues. Please come help us! kind/feature New features for Agones
Milestone
1.7.0

Comments

@adamhosier
Copy link

Is your feature request related to a problem? Please describe.
Our infrastructure takes advantage of short lifetime certificates that are automatically renewed & loaded into pods. Currently we need to restart the allocator pods whenever such a renew happens, as the allocator does not automatically refresh all certs.

It appears as if PR #1145 introduced auto-refresh of the client CA, and this feature request asks that this functionality is extended to all client & server certs in use by the allocator.

Describe the solution you'd like
The hot-reload implementation in #1145 is extended to all certs in /home/allocator/tls and /home/allocator/client-ca.

Describe alternatives you've considered

  • A liveness probe on the allocator k8s config that will kill any pods with expired certs (I believe this will only work for server certs as last I checked we can't have mTLS liveness probes)
  • An external service that will delete pods that are older than X days - forcing the reload.
@adamhosier adamhosier added the kind/feature New features for Agones label Jun 1, 2020
@pooneh-m
Copy link
Contributor

pooneh-m commented Jun 1, 2020

@adamhosier Thanks for reporting this issue. This is a valid scenario and should be addressed with the next Agones release. I agree with your recommended solution.

Out of curiosity, what technology does your infrastructure use for renewing certs?

@pooneh-m pooneh-m added the help wanted We would love help on these issues. Please come help us! label Jun 1, 2020
@adamhosier
Copy link
Author

thanks @pooneh-m, good to hear.

Out of curiosity, what technology does your infrastructure use for renewing certs?

We use Hashicorp Vault as a private CA, with their vault-agent process as a sidecar to agones, handling cert refresh.

@pooneh-m pooneh-m mentioned this issue Jun 5, 2020
Closed
@devloop0 devloop0 mentioned this issue Jun 22, 2020
Merged
@markmandel markmandel added this to the 1.7.0 milestone Jun 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted We would love help on these issues. Please come help us! kind/feature New features for Agones
Projects
None yet
Milestone
1.7.0
Development

Successfully merging a pull request may close this issue.

Adding support for refreshing TLS certs in the allocator
3 participants
@markmandel @adamhosier @pooneh-m