spicedb icon indicating copy to clipboard operation
spicedb copied to clipboard

Published 20 hours ago verified publisher icon authzed

Support monitoring CA rotation

Open mgagliardo91 opened this issue 1 year ago • 1 comments

We are currently deploying our SpiceDB cluster using the K8s operator and have it setup with a CA/TLS certificate for our clients to use when accessing it. Our CA's currently rotate every 90 days per our internal Ops standards. When they do, our internal services that talk to SpiceDB will pick up the change and reinitialize their client; however, SpiceDB does not currently reinitialize and will hold the value of the last, expired, certificate.

Without directly monitoring, this issue is only made apparent with an outage as our calls will start failing and erroring due to expired certificates, though the clients are using the new valid one.

Can SpiceDB support monitoring the CA cert as it does with the TLS certs? This would allow us to keep the rotation automated without worrying about kicking over pods ahead of each expiry or worrying about downtime during the rotation.

Thanks!

mgagliardo91 avatar Jul 18 '23 18:07 mgagliardo91

@ecordell is there any consideration in working this one? We have to keep remembering to kick over our pods when our CA expires

mgagliardo91 avatar Nov 28 '23 17:11 mgagliardo91