-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No retry mechanism the cert fetch #1131
Comments
cc: @susanshi |
Hi @duffney Josh, The certificate store reconcile is only triggered when the CR is modified. In the case of permission change, since the action is external to ratify, customer would need to manually trigger a fetch operation by deleting and applying the CR again. I will add a TSG for this work around , thank you for the submitting this feedback. It is also an option to implement to scheduled sync, we will need to discuss if this setting should be configurable, and the if certificate should be evited if fetch operation fails. |
TSG PR submitted for review :ratify-project/ratify-web#28 |
@susanshi @akashsinghal I would like to discuss this issue in the community meeting this week. |
Hi @duffney , the secrets store csi driver supports auto rotation, we could see if there are anything we could reference from their design. |
What happened in your environment?
I installed Ratify on my AKS cluster before the appropriate access policy was assigned to the managed identity used by Ratify to connect to an Azure Key Vault instance. Once I noticed the issue, I assigned the appropriate access policy to the identity, but without a retry for the certificate fetch I was forced to uninstall and reinstall Ratify on the cluster. @akashsinghal mentioned it's also possible to delete the certstore-akv certificatestore to force a new fetch to occur.
What did you expect to happen?
I expected that Ratify would retry the fetch and resolve the cert issues.
What version of Kubernetes are you running?
1.26.3
What version of Ratify are you running?
v1.0.0
Anything else you would like to add?
No response
Are you willing to submit PRs to contribute to this bug fix?
Steps to reproduce the error
cd terraform
,terraform init && terraform apply --auto-approve
az aks get-credentials --resource-group ${GROUP_NAME} --name ${AKS_NAME}
The text was updated successfully, but these errors were encountered: