kube

kube copied to clipboard

When implementing an admission controller, we run a warp/hyper server using TLS credentials from a Secret (typically loaded from disk). These credentials can change at runtime (i.e. by cert-manager). Currently, such changes are not observed until the process is restarted (or maybe, more generally, until the server is discarded and rebuilt?).

In Linkerd, we can probably work around this manually; and this is probably more of an issue for hyper/warp, but this seems like a general problem that will impact all admission controllers so it would be best for kube-rs's examples to provide guidance on how to support certificate rotation.

Note that we're using native-tls, as we encountered a variety of Kubernetes environments that were incompatible with rustls. I expect that this deficiency exists in all TLS implementations, though.

We (the Linkerd team) are happy to help make improvements when we figure out what they are, but I wanted to open an issue here to ensure that the kube-rs community is aware of this operational concern.

Related to https://github.com/linkerd/linkerd2/issues/7519

I think we probably want to have a page on kube.rs on the controller guide dedicated to this. Have linked this issue from https://github.com/kube-rs/website/issues/5