[v18] keystore: add active health checker (#61962)#62637
Merged
dboslee merged 2 commits intobranch/v18from Jan 14, 2026
Merged
Conversation
* keystore: add active health checker
the active health checker performs signing requests against CAs.
failed signing requests are reported back to a callback which will
trip teleports readiness state.
the health checker watches CA events to ensure that the keys being
tested are kept up-to-date.
this can be enabled by configuring
```yaml
keystore:
health_check:
active:
enabled: true
```
this config format leaves room for adding alternative health checking methods
and additional parameters for the active health checker
* improve godocs
* simplify logic
* fix outdated comment
* add file license header
* fix lint
* return curr signer on health failure
* refactor watch loop to improve readability
* fix comments
* add context to deletekey godocs
* move GetTLSSigner closer to similar func def
* use synctest and remove fake clock
* update lint comment
* use lexical sorting to select next key
nklaassen
approved these changes
Jan 7, 2026
fspmarshall
approved these changes
Jan 14, 2026
Merged
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport #61962 to v18
the active health checker performs signing requests against CAs.
failed signing requests are reported back to a callback which will trip teleports readiness state.
the health checker watches CA events to ensure that the keys being tested are kept up-to-date.
this can be enabled by configuring
this config format leaves room for adding alternative health checking methods and additional parameters for the active health checker
changelog: Added support for health checks to monitor cert authority availability and affect Teleport Auth readiness