Automatic Certificate Rotation #3398
Comments
|
there's a guide for cert manager integration in https://gateway.envoyproxy.io/v1.0.1/install/custom-cert/ and there's also a knob to keeping this issue open for someone from the community to improve the docs |
arkodg
added
documentation
|
If Certificate Manager is used what downtime is incurred by Certificate Manager rotating the certificate or CA? |
|
related: #4891 |
It really depends on how you're using EG. For example, I expect that you would only experience an impact if you're using a feature like rate-limiting. This would also depend on the volume of traffic that you have and how many new connections from Envoy to Rate Limit would be established while Certs are not in sync. From my limited testing, it can take up to a minute for two for K8s to refresh the mounted secrets and envoy to pick it up. |
|
closing this in favor of #4891 |
Description:
Similar to Emissary Ingress we are creating a certificate on creation and it has a static expiration of 5 years (emissary does 1 year) with no automatic refresh: emissary-ingress/emissary#4442
We should have a way to opt in to allow Cert Manager to control refreshes of certificates and automatically do restarts or any other necessary processes to ensure rotations incur 0 downtime.
The text was updated successfully, but these errors were encountered: