Internal TLS expiration behaviour

Question

Internal TLS expiration behaviour

BRONSOLO opened this issue 2 years ago · 3 comments

When an internal TLS certificate expires and gets rotated by cert-manager, the operator does not seem to handle reloading the processes (e.g., /usr/bin/registry_DO_NOT_USE_GC serve) that reference these TLS certificates / mounted secrets. As a result, the harbor services fail to reach one another (with a 500-level TLS handshake error):

2022/11/17 13:46:29 http: TLS handshake error from 127.0.0.6:52783: remote error: tls: bad certificate

Once the certificate expires, the new certificate gets mounted into the pod as expected but the old certificate is still being served.

I'm curious what the expectation is here. Should all harbor cluster pods be rotated manually to pick up the new TLS certificates?

Thanks!

Answer 1 · 2022-11-17T14:03:30.000Z

Hello,

It seems relative to issue #712

Thomas

Answer 2 · 2022-11-17T14:20:59.000Z

Thanks @thcdrt! I had a look at that ticket as well as I also thought it could be related. I think #712 captures a separate failure state actually as I'm seeing that the non-CA certificates do get updated in the pod + mounted secrets as expected.

Answer 3 · 2024-03-04T07:10:23.000Z

Just for a record when somebody find this issue ... It can workarounded by deploying stakater/reloader and restarting harbor's pods when secret (tls cert) changes.