Skip to content

feat(server): Watch the tls certs for changes and update the served certs #4697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(server): Watch the tls certs for changes and update the served certs #4697

wants to merge 1 commit into from
+435 −3

Conversation

@dbason
Copy link

@dbason dbason commented Jul 28, 2025

Fixes #4617

Watches the certificate file locations (in a manner that is compatible with how k8s links and mounts secrets). Instead of passing the certificate files directly to the http server it uses GetCertificate instead, and updates the certificate when the files are changed.

@netlify
Copy link

netlify bot commented Jul 28, 2025
edited
Loading

Deploy Preview for docs-kargo-io canceled.

Name Link
🔨 Latest commit cb6361b
🔍 Latest deploy log https://app.netlify.com/projects/docs-kargo-io/deploys/68d3271edebe680008e1740e

@dbason dbason changed the title Watch the tls certs for changes update the served certs feat(server): Watch the tls certs for changes and update the served certs Jul 28, 2025
@dbason dbason marked this pull request as ready for review July 28, 2025 04:30
@dbason dbason requested a review from a team as a code owner July 28, 2025 04:30
@krancour krancour self-requested a review July 29, 2025 02:42
@krancour krancour added area/security Has security implications and needs to be handled with great caution priority/normal This is the priority for most work kind/enhancement An entirely new feature area/api-server Affects Kargo's API server labels Jul 29, 2025
@krancour
Copy link
Member

I'd hold off on doing this until what's already here as been reviewed / agreed on, but the external webhooks server is probably in need of this exact same feature.

@krancour krancour added this to the v1.8.0 milestone Jul 31, 2025
@dbason
Copy link
Author

dbason commented Jul 31, 2025

@krancour is there anything else I need to do to get approval for the CI to run?

@dbason
Copy link
Author

dbason commented Jul 31, 2025 

internal/server/server.go:253:21: G402: TLS MinVersion too low. (gosec)
			srv.TLSConfig = &tls.Config{
				GetCertificate: certLoader.GetCertificate,
			}
1 issues:

This hasn't actually functionally changed from what the code was doing previously but I think it's being picked up now because I'm explicitly setting the TLSConfig. I can update this.

=== RUN   TestDirectoryWatcher
    directorywatcher_test.go:56: 
        	Error Trace:	/__w/kargo/kargo/internal/server/certwatcher/directorywatcher_test.go:56
        	Error:      	Should be false
        	Test:       	TestDirectoryWatcher
        	Messages:   	channel should be closed
--- FAIL: TestDirectoryWatcher (0.05s)
FAIL
coverage: 87.5% of statements

This passed locally when I was testing but might be flaky so I'll check on it.

@krancour
Copy link
Member

krancour commented Aug 1, 2025

is there anything else I need to do to get approval for the CI to run?

They ran. Wonder if @hiddeco authorized it maybe. 🤷‍♂️

This passed locally when I was testing

It's a little bit slower, but make hack-test-unit (as opposed to make test-unit) should execute the tests in as close as we can get to the same environment they're executed in in CI.

@dbason
Copy link
Author

dbason commented Aug 1, 2025

I've updated the minimum TLS version to be 1.3 and updated the flaking test to be more resilient.

@krancour krancour removed this from the v1.8.0 milestone Aug 12, 2025
@dbason
Copy link
Author

dbason commented Aug 26, 2025

Is there anything else I can do to move this forward @krancour ?

@dbason
Watch the tls certs for changes update the served certs
cb6361b 
Signed-off-by: Dan Bason <dan.bason@dronedeploy.com>
@dbason
Copy link
Author

dbason commented Sep 23, 2025

@krancour we ran into this again recently in our infrastructure. I've rebased and updated the logging package but it would be great to get some idea how how you guys want to handle the certs and push it into the external webhook controller as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krancour krancour Awaiting requested review from krancour

At least 1 approving review is required to merge this pull request.

Assignees

@krancour krancour

@dbason dbason

Labels

area/api-server Affects Kargo's API server area/security Has security implications and needs to be handled with great caution kind/enhancement An entirely new feature priority/normal This is the priority for most work

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Reload kargo-api TLS certificate when it is updated

2 participants

@dbason @krancour