You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree to follow the Code of Conduct that this project adheres to.
I have searched the issue tracker for an issue that matches the one I want to file, without success.
Problem Description
When Dex is deployed in an environment where certificates frequently change (eg. using Let's Encrypt) AND it is configured to terminate TLS, it continues serving with the old certs indefinitely without reloading them from the filesystem.
Proposed Solution
Support (optionally) reloading TLS certificates. Two common solutions I can see:
reload certs upon receiving SIGHUP (doesn't work on Kubernetes)
watching files for changes and reloading certs upon an event
We probably need to support both and let users decide which mechanism to use.
First, on Kubernetes is probably better to terminate TLS at the ingress layer.
If that's not possible reloader can provide an automated solution to trigger rollouts on secret changes.
Additional Information
This is a duplicate of #2274, but since that mentions both configuration AND certs, I decided to open a separate one for certs as that might be easier to resolve.
running dex on a docker.compose does always require some kind of reloading certs. i would prefer reload on watching files. it should work on docker and kubernetes.
Preflight Checklist
Problem Description
When Dex is deployed in an environment where certificates frequently change (eg. using Let's Encrypt) AND it is configured to terminate TLS, it continues serving with the old certs indefinitely without reloading them from the filesystem.
Proposed Solution
Support (optionally) reloading TLS certificates. Two common solutions I can see:
We probably need to support both and let users decide which mechanism to use.
There is a library called tlsreconciler: https://github.com/shaj13/tlsreconciler
It looks pretty good except it may not be obvious how to implement file watching.
For file watching, fsnotify is the standard library: https://github.com/fsnotify/fsnotify
Alternatives Considered
First, on Kubernetes is probably better to terminate TLS at the ingress layer.
If that's not possible reloader can provide an automated solution to trigger rollouts on secret changes.
Additional Information
This is a duplicate of #2274, but since that mentions both configuration AND certs, I decided to open a separate one for certs as that might be easier to resolve.
Some information about reloading TLS certs: https://stackoverflow.com/questions/37473201/is-there-a-way-to-update-the-tls-certificates-in-a-net-http-server-without-any-d
The text was updated successfully, but these errors were encountered: