-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support monitoring CA rotation #1448
Comments
@ecordell is there any consideration in working this one? We have to keep remembering to kick over our pods when our CA expires |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We are currently deploying our SpiceDB cluster using the K8s operator and have it setup with a CA/TLS certificate for our clients to use when accessing it. Our CA's currently rotate every 90 days per our internal Ops standards. When they do, our internal services that talk to SpiceDB will pick up the change and reinitialize their client; however, SpiceDB does not currently reinitialize and will hold the value of the last, expired, certificate.
Without directly monitoring, this issue is only made apparent with an outage as our calls will start failing and erroring due to expired certificates, though the clients are using the new valid one.
Can SpiceDB support monitoring the CA cert as it does with the TLS certs? This would allow us to keep the rotation automated without worrying about kicking over pods ahead of each expiry or worrying about downtime during the rotation.
Thanks!
The text was updated successfully, but these errors were encountered: