Certificate renewal handling #641
-
Simply put, we have clusters deployed through automation and they pull their certificates from secrets management tools. I've been trying to find an answer but have been unable to find a clear answer so I appreciate any insight the community can give me. If we update our secrets containing our certificates (TLS/ADMIN/ROOT_CA) will the operator recognize that change and apply it to the running pods, do a rolling update or ignore it (do nothing)? I'm thinking of expiration time when those certs automatically re-issue new certificates and it gets pushed to those secrets. Anything to point me in the right direction is appreciated. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Hi @mrvdcsg. Currently the operator ignores any changes to the content of provided certificates. |
Beta Was this translation helpful? Give feedback.
-
Thanks @swoehrl-mw , we have observed that to be the case. We will have to coordinate a rolling restart for certificates to take effect. It would make sense for the change for certificates to cause a rolling restart automatically so that certificates can be updated by down stream processes without needing manual intervention but we can plan for that in this case. |
Beta Was this translation helpful? Give feedback.
Hi @mrvdcsg. Currently the operator ignores any changes to the content of provided certificates.
The files in the pods would actually get updated by kubernetes, but AFAIK Opensearch does not automatically reload.
There is some discussion in issue #399 around this.