-
Notifications
You must be signed in to change notification settings - Fork 704
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request : Implement ability to dynamically reload TLS certificates #856
Comments
Hello @jeevatkm ! |
Hello @cdoucy - Thanks for reaching out and proposing a feature request. I agree; it is a helpful feature for Resty users. I suggest a change in the implementation. What do you think of the following approach?
Please feel free to create a PR. PS: Resty v2 Client settings modification is not set thread-safe 100%. It should be all right if there are no concurrent certificate modifications; it is just not immune to it yet. The upcoming Resty v3 Client comes with |
@cdoucy I edited the above suggestion with input parameter details. |
Hi @jeevatkm ! Thanks for your feedback!
Agree, actually that's pretty much what I had in mind as well!
Great, will create a draft PR by Sunday. |
Description
client.SetRootCertificate
andclient.SetClientRootCertificate
allow to configure certificates for TLS communication.It would be great if it was possible to dynamically reload certificates when they expire to automatically handle certificate rotation.
Use-case
Assume there are multiple HTTPS services in a Kubernetes cluster. These HTTPS services are using Certificates issued by cert-manager.
Therefore, pods who host HTTPS client need to be mounted with the root certificate. When
cert-manager
rotate the Certificates, the running HTTPS clients need to reload the mounted certificate.To work around it, it's possible to either panic on TLS errors to restart the pod and reload the cert, or to create a fresh new
resty
Client for each HTTPS call, but that's not very efficient.Possible implementations
I see two ways to implement this feature:
fsnotify is a cross-platform library that allows to watch file system events. I believe it would be a good fit for the use-case.
However, I'm not sure if
fsnotify
can be used inresty
due to legal reasons. (fsnotify
is BSD licensed whileresty
is MIT)Implementing a cross-platform module to watch FS system would require some engineering efforts.
A routine could periodically call
os.Stat()
on the file to check the certificate file modification time.This approach would be straightforward to implement but is not as efficient as the previous option.
The text was updated successfully, but these errors were encountered: