teleport-proxy does not reload its tls certificate

[binoue]

Have a question? Please use Our Forum

What happened:

I am using teleport and cert-manager on kubrenetes.
cert-manager create a secret resource containing a tls certificate and it is mounted on teleport-proxy pod.

cert-manager updates tls.crt in the secret for teleport-proxy before it is expired,
but teleport-proxy does not reload the new tls.crt and eventually it returns expired certificate.

What you expected to happen:

teleport-proxy reloads its tls.crt when it is updated.

How to reproduce it (as minimally and precisely as possible):

1. Create teleport environment with cert-manager.
2. Update certificate
3. Access to teleport from browser
4. Confirm the certificate expiration date provided from teleport-proxy.

Environment:

• Teleport version (use teleport version): 4.1.3
• Tsh version (use tsh version):
• OS (e.g. from /etc/os-release): Ubuntu 18.04.1 LTS

Browser environment

• Browser Version (for UI-related issues):
• Install tools:
• Others:

Relevant Debug Logs If Applicable

• tsh --debug
• teleport --debug

[webvictim]

This is an annoying issue we should fix.

[dgivens]

This is something that we just ran into due to the delay from when the teleport process is sent a HUP signal to reload the service and when the proxy services start listening for connections again. While it's done in off hours and unlikely to impact anyone, it's still a brief blip in availability. We noticed it because it was starting to trigger the alerting for the monitoring of the proxy services.

[russjones]

Closing this one so it can be tracked in #3815.