-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate Rotation #7576
Comments
This is being discussed at etcd-operator coreos/etcd-operator#224. /cc @hongchaodeng @colhom |
I am also looking for away way to reload server/client/peer certificates. I guess this is where the server certificates are loaded: And here the client certificates: I am suggesting reacting to SIGHUP signals and reload the certificates object / client config in that case. I would assume we need some locking around the config reload. Not too familar with etcd's codebase, but could have a try to get something PoC style implemented within the next weeks |
I have written a patch which forces etcd to load the certificate files from disk every time they are needed. It's not the final solution I am looking for, but it's a step in that direction. Let me know if anyone is interested in seeing that patch. |
@tgrosinger sure, might as well post it as PR if the code's already working. If the only problem is it hits the fs when establishing every connection, it could possibly be gated so it only reloads on SIGHUP |
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Signed-off-by: Gyu-Ho Lee <gyuhox@gmail.com>
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com> Original commit can be found at etcd-io#7784
This changes the baseConfig used when creating tls Configs to utilize the GetCertificate and GetClientCertificate functions to always reload the certificates from disk whenever they are needed. Always reloading the certificates allows changing the certificates via an external process without interrupting etcd. Fixes etcd-io#7576 Cherry-picked by Gyu-Ho Lee <gyuhox@gmail.com> Original commit can be found at etcd-io#7784
Versions
etcd Version: 3.1.3
etcd Version SHA: 21fdcc6
clientv3 Version SHA: 350d0cd
Issue
I would like to start using
--client-cert-auth
and--peer-client-cert-auth
to control access to my etcd cluster, however for security reasons I need to rotate these certificates fairly frequently.Assuming I change the certificate in the file etcd is reading from, is there a way to ask etcd to reload the file?
If not, how bad of an idea is it to be restarting the etcd instances in a cluster frequently? For example, in a 3 node cluster having each instance restart once an hour?
And finally, any pointers on where I should start looking if I wanted to contribute this functionality to etcd?
Thank you.
The text was updated successfully, but these errors were encountered: