[WIP] Remove the copy-cert init containers#423
Open
prafull01 wants to merge 1 commit intocockroachdb:masterfrom
Open
[WIP] Remove the copy-cert init containers#423prafull01 wants to merge 1 commit intocockroachdb:masterfrom
prafull01 wants to merge 1 commit intocockroachdb:masterfrom
Conversation
prafull01
force-pushed
the
remove-copy-cert
branch
from
92878e2 to
beac1c0
Compare
nameisbhaskar
added a commit
to cockroachdb/cockroach-operator
that referenced
this pull request
Mar 10, 2026
This change introduces a new 'skipCertCopy' field to the CrdbCluster API that enables zero-downtime certificate rotation using SIGHUP signals. Changes: - Add skipCertCopy boolean field to CrdbClusterSpec API - Make cert-copy initContainer conditional based on skipCertCopy flag - When skipCertCopy=true: mount certs directly from secrets for SIGHUP rotation - When skipCertCopy=false (default): use initContainer for strict 0400 permissions - Add comprehensive documentation in README.md - Add example manifests demonstrating both modes - Add detailed testing guide When skipCertCopy is enabled: - No initContainer is created - Certificates are mounted directly from Kubernetes secrets - Certificate files have 0440 permissions (group readable) - Certificates can be reloaded via SIGHUP without pod restart When skipCertCopy is disabled (default): - initContainer 'db-init' copies certificates to emptyDir - Private keys have strict 0400 permissions - Pod restart required for certificate rotation Trade-offs are documented in README.md to help users choose the appropriate mode for their security and operational requirements. Fixes: cockroachdb/helm-charts#408 Related: cockroachdb/helm-charts#423 JIRA: CRDB-42772
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #408