-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run a custom script at renewal time #57
base: master
Are you sure you want to change the base?
Conversation
This is a first aproximation to a solution. It's a bit brute force - mount a config map in the pod with a script to run at renewal time. I'll need to update controller to check for an attribute (that specifies a script path) so the voulmeMount is only inserted if there's a good chance that it's going to work.
Bring in upstream changes
If a pod is annotated with `autocert.step.sm/renewalVolume: script', then controller will add a volume map to the named volume to the renewal container.
Hi @Moosemorals, it makes sense to be able to execute a script after creating or renewing a certificate; your implementation has good ideas, but I don't think it is the right approach. As you mentioned, it will require Right now, you always have the option to change the images or even add volumes in the autocert We'll have to figure out a way not just to add the We'll have to come up with a design on how to make this work, but I think it will provide more flexibility than this. I'd like to hear from you, what do you think? |
I think we should solve the problem of restarting services after renewal in the simplest way possible for users. I propose adding an annotation
|
I think that's probably a little too simple, I'd want to be able to at least choose the signal (eg, postgres will reload config on a SIGHUP, haproxy wants a SIGUSR2) |
Would something like |
I'm new to this whole k8s thing so I don't know the culture/style, but I'd just add another attribute for signal name/number, unless there's some cost I'm missing? I had a bit of a play with shared volumes, but the problem comes down to the renew container (and Shared process space allows signals, which are easy at both ends. Without that, then something like a shared volume and inotify should work but that would need more cooperation from the prime container (some services can be setup to listen on a unix socket for commands, but I think that's probably less common than signals, and the format for the 'reload config/certs' command will almost certainly be different per service) (also, do unix sockets work cross container?) |
@areed I kind of prefer something more flexible and mount a configmap with a special set of labels for different actions:
Then both bootstrap and renewer scripts can be aware of all that. |
My proposal is perhaps too complex and for just This is the set of related flags that
|
I had a look at |
AFAIK you will always need |
|
Some applications don't notice when their certificates are changed on disk after auto-renewal.
step ca renew
has an--exec
option to allow arbitary code to be run at renewal time, but the existing autocert-renewal container doesn't hook into that.This pach updates autocert-controller to add a volumeMount to the renewal container if the user has created an
autocert.step.sm/renewalVolume
annotation (with a value of the name of the volume to mount).It also updates autocert-renewal to check for a file at
/renewer/renewal.sh
and, if found, adds an--exec=/renewer/renewal.sh
option tostep ca renew
.It's a bit of a hack, I'm not entirely happy with it, but it does work, allowing users to signal the main application in the appropriate way after a renewal.
Feedback/advice/suggestions welcome/encouraged!