kubeflow
chore(backend): add TLS certificate rotation documentation and helper scripts. Fixes #12328
chore(backend): add TLS certificate rotation documentation and helper scripts. Fixes #12328
Description of your changes:
This PR adds missing documentation for TLS certificate rotation required when using the pod-to-pod TLS feature introduced in PR #12082. When TLS secrets are renewed, backend services (API server, persistence agent, metadata writer, cache server, etc.) do not automatically reload updated certificate data. A rolling restart is required. This behavior was previously undocumented.
The updates included in this PR:
-
Documentation update (
backend/README.md):- Added a new section “TLS Certificate Rotation (Pod-to-Pod TLS)”.
- Explained why certificate rotation is needed, how secrets interact with backend components, and why pods must be restarted.
- Added a complete, copy-paste-ready rotation procedure:
- Generate/obtain new TLS certs (
server.crt/server.key) - Update the TLS secret using
kubectl create secret tls ... | kubectl apply -f - - Restart affected deployments with
kubectl rollout restart - Verify rollouts and confirm certificate is active.
- Generate/obtain new TLS certs (
- Added best practices, troubleshooting notes, common errors, and automation guidance (cert-manager + checksum annotations).
- Added cluster discovery commands to help users identify the exact secret and deployments referencing it.
-
Helper scripts added (optional but helpful for operators):
scripts/find-tls-refs.sh
Identifies which pods/deployments reference the TLS secret (via volumes or env secretKeyRef).
Helps operators know exactly which deployments must be restarted.scripts/rotate-tls.sh
Applies new TLS cert/key to the Kubernetes Secret and automatically restarts all deployments referencing the secret, waiting for rollout completion.
-
General improvements:
- Normalized README formatting.
- Ensured all examples are reproducible and use correct fenced code blocks.
- Provided safer and clearer operational guidance for cluster administrators.
These changes directly address the missing operational documentation noted in issue #12328 and align with the maintainers’ suggestion to include example commands.
Checklist:
- [ ] You have signed off your commits
- [ ] The title for your pull request (PR) follows the title convention.
Learn more about the pull request title convention used in this repository.
Links
- Related feature PR (TLS implementation): #12082
- Documentation issue: #12328
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: Once this PR has been reviewed and has the lgtm label, please assign chensun for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![google-oss-prow[bot] avatar](https://avatars.githubusercontent.com/in/143327?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @rahul810050. Thanks for your PR.
I'm waiting for a kubeflow member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Hii @alyssacgoins !!
Thanks for the clarifications!! I will update the PR soon