Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authservice config (ca cert/redis) only read at install #1130

Open
mjnagel opened this issue Dec 17, 2024 · 1 comment
Open

Authservice config (ca cert/redis) only read at install #1130

mjnagel opened this issue Dec 17, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@mjnagel
Copy link
Contributor

mjnagel commented Dec 17, 2024

The UDS Operator config includes two config values for authservice, CA Cert and Redis. This config secret is provided to Pepr pods as env vars but changes to values are not properly handled. This particular issue is focused on the two authservice values.

In order to properly handle modifications to this configuration:

  1. Pepr must update the UDSConfig when the secret changes. This could be done with a watch on the secret or a checksum on the pepr pods to cycle them when the secret updates.
  2. Code around the authservice config must handle adding/changing the CA cert and redis configuration. Currently these values are only added as part of buildInitialSecret meaning this only works when the authservice-uds secret does not exist. We should ensure that when the config is changed we also update the secret and cycle authservice.

Definition of done: Slim-dev can be deployed without configuration for redis/ca-cert. After adding either or both of these parameters Pepr properly updates the authservice-uds secret and cycles the Authservice pod to read the new config.

Note: There are other "upgrade" that we do not account for in the config like changing domain. These should not be part of this issue but are good to track as known limitations as well.

@mjnagel mjnagel added possible-bug Something may not be working bug Something isn't working and removed possible-bug Something may not be working labels Dec 17, 2024
@mjnagel
Copy link
Contributor Author

mjnagel commented Dec 17, 2024

From user reports there is a workaround that can be used by deleting the authservice-uds secret and cycling the pepr watcher pod. This is obviously not ideal, but is functional until this issue is resolved.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant