Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] TLS certificates cannot be renewed without downtime #947

Open
malayh opened this issue Jan 27, 2025 · 2 comments
Open

[BUG] TLS certificates cannot be renewed without downtime #947

malayh opened this issue Jan 27, 2025 · 2 comments
Labels
bug Something isn't working question User questions. Neither a bug nor feature request.

Comments

@malayh
Copy link

malayh commented Jan 27, 2025
edited
Loading

What is the bug?

The TLS certificates are mounted using subPath, so even if the secrets update the pods don't receive the renewed certificate without restarting all the pods and manually triggering a security update that puts the new certificate across all cluster nodes. This means you can't renew the TLS certs without downtime.

volumeMounts:
        - mountPath: /usr/share/opensearch/config/tls-transport/ca.crt
          name: transport-ca
          subPath: ca.crt
        - mountPath: /usr/share/opensearch/config/tls-transport/tls.key
          name: transport-key
          subPath: tls.key
        - mountPath: /usr/share/opensearch/config/tls-transport/tls.crt
          name: transport-cert
          subPath: tls.crt
        - mountPath: /usr/share/opensearch/config/tls-http/ca.crt
          name: http-ca
          subPath: ca.crt
        - mountPath: /usr/share/opensearch/config/tls-http/tls.key
          name: http-key
          subPath: tls.key
        - mountPath: /usr/share/opensearch/config/tls-http/tls.crt
          name: http-cert
          subPath: tls.crt

How can one reproduce the bug?

Set up a cluster with a certificate that expires soon. Then renew the certificate and the pod won't receive the change.

What is the expected behavior?

When the secrets containing the TLS certs update, the pods should automatically receive the new certs and propagate the change across all the nodes without downtime.

Aditional context

I am using cert-manager to create all the certificates, which automatically renews. But the pods cluster doesn't update with the new certificates.
@malayh malayh added bug Something isn't working untriaged Issues that have not yet been triaged labels Jan 27, 2025
@prudhvigodithi
Copy link
Member

[Triage]
AFAIK the volumeMounts by default should put the updated files inside the pod, but OpenSearch might require restart to pick up the new certs, adding @cwperks here for more details. But @malayh how about you try rolling upgrade which should not cause any downtime.
Thanks

@prudhvigodithi prudhvigodithi added question User questions. Neither a bug nor feature request. and removed untriaged Issues that have not yet been triaged labels Jan 30, 2025
@malayh
Copy link
Author

malayh commented Jan 31, 2025

@prudhvigodithi How can I manually trigger a rolling update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working question User questions. Neither a bug nor feature request.
Projects
Engineering Effectiveness Board
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
2 participants
@malayh @prudhvigodithi