Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The spire-agent k8s workload attestor wont refresh kubelet ca if it changes on disk #5370

Open
kfox1111 opened this issue Aug 9, 2024 · 3 comments
Open

The spire-agent k8s workload attestor wont refresh kubelet ca if it changes on disk #5370

kfox1111 opened this issue Aug 9, 2024 · 3 comments
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog

Comments

@kfox1111
Copy link
Contributor

kfox1111 commented Aug 9, 2024

There is no way to notify the agent or have the agent notice itself, if kubelet's server cert is updated.
@kfox1111 kfox1111 mentioned this issue Aug 9, 2024
Merged
@azdagron azdagron added triage/in-progress Issue triage is in progress help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog and removed triage/in-progress Issue triage is in progress labels Aug 13, 2024
@azdagron
Copy link
Member

Seems reasonable to periodically reload that file.

@kfox1111
Copy link
Contributor Author

Hmm.... Its not a very costly operation I would think, would it make sense to either:

  • reload before each call back to the spire server (assuming its not very frequent?)
  • Reload after a failure to connect to the spire server. Then the next retry would get the update

@SpectralHiss
Copy link

Why not use fsnotify to actually watch the file system instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Issues with this label are ready to start work but are in need of someone to do it priority/backlog Issue is approved and in the backlog
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kfox1111 @azdagron @SpectralHiss