Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate renewal requires a restart of the gmsa pods #135

Closed
pmcenery-bl opened this issue Nov 7, 2023 · 4 comments · Fixed by #145
Closed

Certificate renewal requires a restart of the gmsa pods #135

pmcenery-bl opened this issue Nov 7, 2023 · 4 comments · Fixed by #145

Comments

@pmcenery-bl
Copy link

I'm not sure if this is a feature or known issue, but when the gmsa certificate is renewed, the gmsa pods need a restart.

Background

I am using the helm chart (v0.7.2) with cert-manager v1.11.0 (but various others tried) to deploy the gmsa webhook.

How to replicate

Set a short lifetime on the certificate and see what happens when it expires. Errors appear in the logs of the gmsa pods. Any other pods trying to start report invalid certificate when calling the gmsa webhook. The solution is to restart the gmsa pod.

Workaround 1

Set a really long certificate lifetime

Workaround 2 (preferred)

Use stakater reloader to automatically restart the pod when the cert is replaced

Has anyone else had to deal with this? I just thought its worth logging before someone else runs into it and spends a bit of time trying to figure it out.
@jsturtevant
Copy link
Contributor

Management and Rotation of the certs is out of scope but the webhook should be able to load new ones if updated.

The tls configuration is mounted as a secret, so any change to the secrert should be reflected in the pod:

windows-gmsa/admission-webhook/deploy/gmsa-webhook.yml.tpl

Lines 105 to 113 in b1f80fc

volumes:
- name: tls
secret:
secretName: ${NAME}
items:
- key: tls_private_key
path: key
- key: tls_certificate
path: crt

but we don't listen for changes, we load it once and start the webhook:

windows-gmsa/admission-webhook/webhook.go

Lines 77 to 82 in b1f80fc

if tlsConfig == nil {
err = webhook.server.Serve(keepAliveListener)
} else {
err = webhook.server.ServeTLS(keepAliveListener, tlsConfig.crtPath, tlsConfig.keyPath)
}

This could be updated to watch the file and re-loaded it via TLSConfig.GetCertificate https://pkg.go.dev/net/http#Server.ListenAndServeTLS

@jsturtevant
Copy link
Contributor

The strategy of doing a rolling upgrade is probably just as simple

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 5, 2024
ycheng-kareo added a commit to ycheng-kareo/windows-gmsa that referenced this issue Feb 8, 2024
@ycheng-kareo
Watch cert files and reload on change
91a292d 
The current webhook does not watch for cert renewal changes.
When the cert is renewed, the pod must be restarted to reload
the new cert.

This commit watches the cert files and reloads the cert when a
change is detected.

See: kubernetes-sigs#135
@ycheng-kareo ycheng-kareo mentioned this issue Feb 8, 2024
Merged
@jsturtevant
Copy link
Contributor

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 14, 2024
@jsturtevant jsturtevant mentioned this issue Mar 15, 2024
Merged
jsturtevant pushed a commit to jsturtevant/windows-gmsa that referenced this issue Sep 23, 2024
@ycheng-kareo @jsturtevant
Watch cert files and reload on change
cbe9bd2 
The current webhook does not watch for cert renewal changes.
When the cert is renewed, the pod must be restarted to reload
the new cert.

This commit watches the cert files and reloads the cert when a
change is detected.

See: kubernetes-sigs#135
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Cert rotation for e2e chart jsturtevant/windows-gmsa
4 participants
@jsturtevant @k8s-ci-robot @k8s-triage-robot @pmcenery-bl