Using the option to add the certificates to a secret, restarting pods on renewal? #160

arizon-dread · 2021-06-08T11:47:44Z

arizon-dread
Jun 8, 2021

Hi,
This is from the documentation:

Routes (OpenShift)
OpenShift Routes are fully supported.

If you annotate your Route with "acme.openshift.io/secret-name": "<secret_name>", the controller will synchronize the Route certificates into a Secret so you can use SSL in the passthrough mode and mount the secret into pods.

And the OpenShift documentation states:

Understanding how to update secrets
When you modify the value of a secret, the value (used by an already running pod) will not dynamically change. To change a secret, you must delete the original pod and create a new pod (perhaps with an identical PodSpec).

Is it possible to execute a rollout restart triggered by a secret change because of a certificate renewal? Maybe through owner reference or by some other means? If it's possible as-is, the documentation needs an update. If not, could it be considered as a feature request?

I want to help out in line of my abilities but I'm not very experienced so I might need some guidance. Please give me pointers on how to proceed if I can be of any assistance.

Answered by tnozicka

Jun 8, 2021

Hi,

As secrets are live mounted, the change will be seen also on disk so you could just wire life reload in your app. If you don't control it, a sidecar could send e.g. SIGHUP.

If you really want a rolling restart, you'd need a controller that hashes the secret content and places an annotation on you workload resource template.podSpec - that'll trigger a rolling restart. That's what some operators do when they don't control the payload to wire a live reload.

If not, could it be considered as a feature request?

This is a generic problem with kube and secrets, I don't think that's something we'd include in the controller. But it can be a standalone controller. (Maybe there are already some.)

View full answer

tnozicka · 2021-06-08T12:50:53Z

tnozicka
Jun 8, 2021
Maintainer

Hi,

As secrets are live mounted, the change will be seen also on disk so you could just wire life reload in your app. If you don't control it, a sidecar could send e.g. SIGHUP.

If you really want a rolling restart, you'd need a controller that hashes the secret content and places an annotation on you workload resource template.podSpec - that'll trigger a rolling restart. That's what some operators do when they don't control the payload to wire a live reload.

If not, could it be considered as a feature request?

This is a generic problem with kube and secrets, I don't think that's something we'd include in the controller. But it can be a standalone controller. (Maybe there are already some.)

1 reply

arizon-dread Jun 10, 2021
Author

I just wanted to add that we decided to use stakater/reloader to generate pod restarts on secret updates. In case someone else stumbles across this.

I cloned the repo and installed it using the helm chart after creating a custom copy of the values.yaml file to suit our needs.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Using the option to add the certificates to a secret, restarting pods on renewal? #160

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

Using the option to add the certificates to a secret, restarting pods on renewal? #160

arizon-dread Jun 8, 2021

Replies: 1 comment · 1 reply

tnozicka Jun 8, 2021 Maintainer

arizon-dread Jun 10, 2021 Author

arizon-dread
Jun 8, 2021

Replies: 1 comment 1 reply

tnozicka
Jun 8, 2021
Maintainer

arizon-dread Jun 10, 2021
Author