Skip to content

tlsutil,transport,embed: add CA trust bundle hot-reload support #21074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aaomidi wants to merge 1 commit into
base: main
Choose a base branch
from
Open

tlsutil,transport,embed: add CA trust bundle hot-reload support #21074

aaomidi wants to merge 1 commit into from

Conversation

@aaomidi
Copy link

@aaomidi aaomidi commented Jan 3, 2026
edited
Loading

Fixes #11555

Add support for dynamically reloading trusted CA certificates without requiring server restart. This enables zero-downtime CA rotation for mTLS clusters.

Key changes:

  • Add CAReloader in tlsutil that polls CA files and updates the certificate pool when changes are detected (using SHA256 hashing)
  • Integrate CA reload into transport layer for both server and client TLS
  • Add --peer-tls-reload-ca, --client-tls-reload-ca, and --tls-ca-reload-interval flags to etcd server
  • Add Prometheus metrics for CA reload operations
  • Add integration test for CA rotation scenarios

The feature is disabled by default and must be explicitly enabled via the new flags.

I am happy to split this up as most of this PR is just the various integration/e2e tests.

@k8s-ci-robot
Copy link

k8s-ci-robot commented Jan 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: aaomidi
Once this PR has been reviewed and has the lgtm label, please assign ahrtr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link

k8s-ci-robot commented Jan 3, 2026

Hi @aaomidi. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@aaomidi aaomidi force-pushed the push-xowutovlnqxu branch from edf7137 to 40d8dff Compare January 3, 2026 05:32
@aaomidi aaomidi marked this pull request as ready for review January 3, 2026 05:34
@aaomidi aaomidi force-pushed the push-xowutovlnqxu branch from 40d8dff to 82c4cf2 Compare January 3, 2026 05:35
@aaomidi
tlsutil,transport,embed: add CA certificate hot-reload support
6d0127e 
Add support for dynamically reloading trusted CA certificates without
requiring server restart. This enables zero-downtime CA rotation for
mTLS clusters.

Key changes:
- Add CAReloader in tlsutil that polls CA files and updates the
  certificate pool when changes are detected (using SHA256 hashing)
- Integrate CA reload into transport layer for both server and client TLS
- Add --peer-tls-reload-ca, --client-tls-reload-ca, and
  --tls-ca-reload-interval flags to etcd server
- Add Prometheus metrics for CA reload operations
- Add integration test for CA rotation scenarios

The feature is disabled by default and must be explicitly enabled via
the new flags.

Signed-off-by: Amir Omidi <amir@aaomidi.com>
@aaomidi aaomidi force-pushed the push-xowutovlnqxu branch from 82c4cf2 to 6d0127e Compare January 5, 2026 19:03
@aaomidi aaomidi changed the title tlsutil,transport,embed: add CA certificate hot-reload support tlsutil,transport,embed: add CA trust bundle hot-reload support Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/testing needs-ok-to-test size/XXL

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ETCD doesn't automatically load changes to ca bundles for peer-trusted-ca-file or trusted-ca-file

2 participants

@aaomidi @k8s-ci-robot