dragonfly-operator icon indicating copy to clipboard operation
dragonfly-operator copied to clipboard
verified publisher icon dragonflydb

Cert: auto rollout when its changed

Open Pothulapati opened this issue 1 year ago • 1 comments

Currently, We don't autmoatically rollout when an underlyign TLS secret is updated. Users want us to do it automatically without any intervention.

Pothulapati avatar Feb 01 '24 05:02 Pothulapati

I ran into this issue, and hacked together an "operator" to do this... It basically monitors dragonfly instances, the secrets they use, and calls CONFIG SET tls true using the admin port. This is not great for couple of reasons:

  1. it requires access to the admin port (which ideally could be closed, or at least authenticated for security reasons)
  2. there's always a delay between when the k8s secret gets updated and when the volume data (ie the pem files) actually gets updated in the node running the Dragonfly server, so the code has to actually connect to the server to check that the new certificate is in use.

It feels like this could be solved much more easily in Dragonfly itself: stat() the cert/key files on a regular basis, and reload the TLS config if they changed?

abustany avatar May 09 '25 09:05 abustany