-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Catalogd is not reloading server certificate #378
Comments
I'm looking more into this now. It looks like we are using a cert watcher and the cert watcher eventually notices that the files change. However it can take quite some time, which results in the mutating webhook being unavailable (because the mutating webhook configuration is attempting to use the name that has not yet propagated to the serving cert). Trying to figure out where this delay is coming from:
I have a feeling it is (2), so looking into that possibility a bit more. |
As I suspected, it looks like (2) is the issue. Ultimately I think this problem is a confluence of factors
We can avoid issues like this in the future in either of the following ways:
|
I believe when I was testing the CA watcher in the operator-controller, it could take up to two minutes for kubelet to update the certificates. But typically it was a minute or less. |
If the server certificate changes, the catalogd webserver needs to reload it.
0.24.0 introduces a new hostname in catalogd's server certificate, but it appears that during an upgrade from 0.23.0 to 0.24.0, the new catalogd pods start prior to the cert-manager noticing the
Certificate
change and updating the secret.Catalogd should watch the mounted secret and reload it when it changes.
The text was updated successfully, but these errors were encountered: