Context
Currently, when internal-encryption aka. dataplane-trust is enabled, we automatically rotate the internal Knative CA. When this happens, all generated certificates are also reconciled and regenerated. This can also happen during upgrades (for example from 1.9 -> 1.10 if label or annotation changes happen on the CA secret).
Activator was changed to automatically reload its certificates and reconfigure its trust-store with the new CA. Queue-Proxy on the other hand, relies on mounted secrets which are only read on startup. So if KServices are running, the QP certificate is not updated and thus the connection between Activator/QP or Ingress-Controller/QP fails.
We need to change QP to reload those certificates on changes.
/assign @ReToCode
Context
Currently, when
internal-encryptionaka.dataplane-trustis enabled, we automatically rotate the internal Knative CA. When this happens, all generated certificates are also reconciled and regenerated. This can also happen during upgrades (for example from 1.9 -> 1.10 if label or annotation changes happen on the CA secret).Activator was changed to automatically reload its certificates and reconfigure its trust-store with the new CA. Queue-Proxy on the other hand, relies on mounted secrets which are only read on startup. So if KServices are running, the QP certificate is not updated and thus the connection between Activator/QP or Ingress-Controller/QP fails.
We need to change QP to reload those certificates on changes.
/assign @ReToCode