Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reload TLS certificates #2814

Closed
2 tasks done
sagikazarmark opened this issue Feb 7, 2023 · 2 comments
Closed
2 tasks done

Reload TLS certificates #2814

sagikazarmark opened this issue Feb 7, 2023 · 2 comments

Comments

@sagikazarmark
Copy link
Member

Preflight Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

When Dex is deployed in an environment where certificates frequently change (eg. using Let's Encrypt) AND it is configured to terminate TLS, it continues serving with the old certs indefinitely without reloading them from the filesystem.

Proposed Solution

Support (optionally) reloading TLS certificates. Two common solutions I can see:

  • reload certs upon receiving SIGHUP (doesn't work on Kubernetes)
  • watching files for changes and reloading certs upon an event

We probably need to support both and let users decide which mechanism to use.

There is a library called tlsreconciler: https://github.com/shaj13/tlsreconciler

It looks pretty good except it may not be obvious how to implement file watching.

For file watching, fsnotify is the standard library: https://github.com/fsnotify/fsnotify

Alternatives Considered

First, on Kubernetes is probably better to terminate TLS at the ingress layer.

If that's not possible reloader can provide an automated solution to trigger rollouts on secret changes.

Additional Information

This is a duplicate of #2274, but since that mentions both configuration AND certs, I decided to open a separate one for certs as that might be easier to resolve.

Some information about reloading TLS certs: https://stackoverflow.com/questions/37473201/is-there-a-way-to-update-the-tls-certificates-in-a-net-http-server-without-any-d

@tgruenert
Copy link

running dex on a docker.compose does always require some kind of reloading certs. i would prefer reload on watching files. it should work on docker and kubernetes.

@nabokihms
Copy link
Member

Closed by #2964

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants