Feature Request: File-based certificate rotation / renewal in Envoy

[bcelenza]

If you want to see App Mesh implement this idea, please upvote with a :+1:.

Tell us about your request Today App Mesh provides two sources for certificates and certificate trust bundles when configuring TLS between services: managed ACM certificates from a private certificate authority, and certificates from the proxy's local file system. When certificates from ACM are renewed, App Mesh automatically distributes the new certificate materials to the proxy. Certificates from the file system currently require a manual process to signal Envoy to pick up the new certificate materials.

The manual signalling process is required because Envoy only watches the file system for move events. Envoy's documentation states:

Envoy will only watch the file path for moves. This is because in general only moves are atomic.

Envoy recommends using a combination of a symlink (ln) and a move (mv) command to swap file contents at runtime.

We could make this process easier by providing tooling within (and maybe outside of) the managed Envoy image to signal Envoy to retrieve the new certificate materials when they are replaced.

Which integration(s) is this request for? All

Are you currently working around this issue? The process recommended by Envoy can be triggered manually, via a script built into a custom built Envoy image, or in some cases by execing into the running container and issuing the commands manually.