You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I’m observing Pomerium (using latest image from pomerium/pomerium:latest, should be v0.25.2) is looping in the fileutil/watcher permanently rebuilding/re-reading its config.yaml:
I’ve examized how GCP mounts secret files and found out that the timestamp of the file is always fresh:
root@localhost:/pomerium$ ls -l
total 2
-r--r--r-- 1 root root 1475 Apr 19 21:12 config.yaml
It looks like used by Pomerium config file change notification mechanism (inode polling?) does not work correctly for this configuration. Pomerium is tricked to think the config.yaml is changing all the time.
I searched the code to find the option to disable the config watcher, but I didn’t find anything.
The constant configuration rebuilds does not looks correct, pollute logs and overloads the CPU.
I think I’ll work around by supplying config included in the docker image, but it would be generally cool to have an option to disable config file watching, in case it works incorrectly.
Would you mind to add such option? Or did I oversee it? Maybe over suggestions on how to mount secrets in CloudRun environment elegantly avoiding false config change notifications?
The text was updated successfully, but these errors were encountered:
Let's plan to add a runtime flag to disable hot config reloading.
@wasaga mentions that we may be able to detect if we are running in Cloud Run via the presence of some environment variable; we may want to disable config change detection entirely if running in Cloud run?
From what I can tell, the issue is that the 9P server used by Google Cloud secrets manager returns bogus timestamps in its stat response. Unfortunately, that makes it impossible to detect changes using the modification time alone.
Copied from https://discuss.pomerium.com/t/pomerium-loops-re-reading-configuration-from-cloudrun-mounted-secret/361:
The text was updated successfully, but these errors were encountered: