caddy icon indicating copy to clipboard operation
caddy copied to clipboard
verified publisher icon caddyserver

Automatic reload of TLS certificates from filesystem

Open pascalgn opened this issue 8 months ago • 1 comments

We're trying to use Azure Key Vault provider for Secrets Store CSI Driver in Kubernetes, which basically mounts the TLS certificates from a KeyVault into the filesystem, e.g. as /etc/tls-certificates/example.com.crt. The CSI Driver automatically updates the file when the entry in the KeyVault changes, but Caddy is not reloading the changes.

Would it make sense to change Caddy to use something like https://github.com/fsnotify/fsnotify to automatically reload TLS files when they change? If not, would it be possible to implement this as a plugin?

Related:

  • https://github.com/caddyserver/caddy/issues/4005
  • https://github.com/caddyserver/caddy/issues/6789
  • https://caddy.community/t/force-reload-certificates/27545

pascalgn avatar Mar 31 '25 14:03 pascalgn

@mholt I've created a draft (not working) PR for this. If you have time, it would be really nice if you could have a quick look and give some quick/blunt comments if this is the right direction or not

pascalgn avatar Apr 07 '25 14:04 pascalgn