Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[How can I make my services to use renewed certificates automatically?] #58

Closed
imageschool opened this issue Jun 16, 2022 · 8 comments
Closed

[How can I make my services to use renewed certificates automatically?] #58

imageschool opened this issue Jun 16, 2022 · 8 comments
Labels
bug Something isn't working needs triage Waiting for discussion / prioritization by team

Comments

@imageschool
Copy link

imageschool commented Jun 16, 2022
edited
Loading

Subject of the issue

I have installed 'autocert' through the helm chart, which works very well. (Thank you to the community)

I am then providing these certificates to my other k8s services such as code-server or Elastic Kibana so they can have the TLS support. I know that the maximum duration of the certificate is 24h and the renewer is renewing them, however, how can I let those services pick up the new certificate instead of the old one?

Unless I restart the pod, they are still using the old certificate, i.e expired.

For an alternative solution, I also tried to adjust the duration of the certificate to one year by following this issue, but somehow the certificates are not being injected by the admission webhook.

Environment

  • Kubernetes version:
    rke2 version v1.22.9+rke2r2 (d7c26a45b92cf3f76c063e93f8c6448fde7b2456) go version go1.16.14b7
  • Cloud provider or hardware configuration:
    AWS EC2
  • OS (e.g., from /etc/os-release):
NAME="Ubuntu"
VERSION="20.04.4 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.4 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
* Kernel (e.g., `uname -a`):
Linux ip-172-32-74-108 5.13.0-1023-aws #25~20.04.1-Ubuntu SMP Mon Apr 25 19:28:27 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
* Install tools:
lens (Kube IDE), helm chart, autocert
* Other:

Steps to reproduce

Tell us how to reproduce this issue

Expected behaviour

Tell us what should happen

Actual behaviour

Tell us what happens instead

Additional context

Add any other context about the problem here
@imageschool imageschool added bug Something isn't working needs triage Waiting for discussion / prioritization by team labels Jun 16, 2022
@maraino
Copy link
Collaborator

maraino commented Jun 16, 2022

Most of the servers will require you to send a signal so they can re-read the configuration and use the new certificates.

The best way to achieve that is to include in your image an inotify-based tool that monitors the certificates and reloads the configuration in the server. See for example how certwatch.sh is used here.

We're also discussing alternatives that can allow you to modify the renewer scripts and do that there, but solutions like that will likely require you to include shareProcessNamespace: true, and you don't need that if you use inotify tools and an entry point script.

@imageschool
Copy link
Author

@maraino Right, thank you, I will try them out and let you know!

@imageschool
Copy link
Author

imageschool commented Jun 17, 2022
edited
Loading

@maraino

image

My code-server is running as above in a pod and the code-server doesn't seem to provide any reload/restart options.
What would you suggest if such reload/restart commands do not exist?
Do I need to manually kill all those and restart?

@maraino
Copy link
Collaborator

maraino commented Jun 17, 2022

That's an option but if you control the code of that code-server you can make it work, let me look for some docs.

@maraino
Copy link
Collaborator

maraino commented Jun 17, 2022

@imageschool I believe you can use something like this nodejs/node#15115 (comment) to reload a new secure context when the files change, and you can monitor the files changes using an API like https://nodejs.org/docs/latest/api/fs.html#fswatchfilename-options-listener

@maraino
Copy link
Collaborator

maraino commented Jun 17, 2022

Closing this issue for now. Feel free to open a discussion on https://github.com/smallstep/certificates/discussions if you need more help on this.

@maraino maraino closed this as completed Jun 17, 2022
@imageschool
Copy link
Author

imageschool commented Jun 30, 2022
edited
Loading

@maraino Did you mean I have to manually change the code-server (Visual Studio Code Server, open-source)'s source code?

For example, using https://hub.docker.com/r/linuxserver/code-server as a base image and manually modifying its code-server/src/node/app.ts to add file watch feature & node reload script and build my own image?

I am not very familiar with your idea so I would really appreciate it if you can give me more detail on how I should approach it!

@imageschool
Copy link
Author

imageschool commented Jun 30, 2022
edited
Loading

I resolved the issue by increasing the duration to one year in Configmap by following below.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maraino @imageschool