Skip to content

Feature Request: Reload kargo-api TLS certificate when it is updated #4617

New issue
New issue
Open
#4697
Open
Feature Request: Reload kargo-api TLS certificate when it is updated#4617
#4697
Assignees
krancour
Labels
area/securitykind/enhancementkind/proposalneeds/priority
@dbason

Description

@dbason
dbason
opened on Jul 13, 2025

Checklist

  • I've searched the issue queue to verify this is not a duplicate feature request.
  • I've pasted the output of kargo version, if applicable.
  • I've pasted logs, if applicable.

Proposed Feature

We are currently using Kargo v1.5.0 installed via the helm chart. Our helm settings for SSL are as follows:

  tls:
    selfSignedCert: false
  service:
    type: LoadBalancer

This creates a cert-manager certificate with 90 day validity. The certificate is correctly refreshed, however when the secret is changed the new TLS cert isn't loaded into the kargo-api resulting in an expired certificate being presented. Manually restarting the deployment results in the new certificate being presented.

The proposed feature is to watch the certificate file for updates and then reload the server cert.

Motivation

Without this feature cluster operators would need to manually track the certificate expiry and then reload the api server themselves. This is a not insignificant admin overhead, and can result in access to the service being disrupted if the certificate isn't rotated correctly.

Metadata

Metadata

Assignees

Labels

area/securitykind/enhancementkind/proposalneeds/priority

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions