spire icon indicating copy to clipboard operation
spire copied to clipboard
verified publisher icon spiffe

The spire-agent k8s workload attestor wont refresh kubelet ca if it changes on disk

Open kfox1111 opened this issue 1 year ago • 6 comments

There is no way to notify the agent or have the agent notice itself, if kubelet's server cert is updated.

kfox1111 avatar Aug 09 '24 14:08 kfox1111

Seems reasonable to periodically reload that file.

azdagron avatar Aug 13 '24 18:08 azdagron

Hmm.... Its not a very costly operation I would think, would it make sense to either:

  • reload before each call back to the spire server (assuming its not very frequent?)
  • Reload after a failure to connect to the spire server. Then the next retry would get the update

kfox1111 avatar Aug 16 '24 09:08 kfox1111

Why not use fsnotify to actually watch the file system instead?

SpectralHiss avatar Sep 13 '24 08:09 SpectralHiss

This issue is stale because it has been open for 365 days with no activity.

github-actions[bot] avatar Sep 13 '25 22:09 github-actions[bot]

I'm not sure this is a problem, we reload the CA certs every time we create a new kubelet client, which is once every minute or so. See here where we reload the CA and the default interval.

@kfox1111 was this reload every minute not working for you? Did you configure the reload interval to be higher? If the CA changes in a live system (don't know if that's possible) you'll have some downtime for up to 1 minute, but I'm sure the agent won't be the only thing having that issue.

sorindumitru avatar Sep 14 '25 07:09 sorindumitru

hmm. I think I looked at the code, but didnt realize it would refresh it. If you think its refreshing ok, I think we can close it.

kfox1111 avatar Sep 14 '25 22:09 kfox1111

Good to close based on the, we reload the file every minute.

sorindumitru avatar Jan 03 '26 12:01 sorindumitru