I vaguely remembering reading about this somewhere, but I can no longer find that discussion.
I’m using Caddy as a reverse proxy in Kubernetes, so every time I add a new website, I restart the containers. This means that Caddy boots up and attempts to get the SSL certificates for the new websites. While it’s doing that, Caddy looks like it’s unresponsive – even to all other domains.
Is there a way to let caddy fetch the certificates in the background so it can continue to serve traffic for sites that already have certs?
You can reload Caddy with zero downtime by sending it signal USR1. I don’t know how that works with Kubernetes (never used it) but that’s typically the proper way to do this.
Hmm… I’m new to Kubernetes as well, so it’s worth bringing in someone else to add the discussion. I’ll ask a few people to weigh in.
In the mean time – in Kubernetes, the way to restart/reload apps is to restart the container. I searched around for a way to send different signals to the program in the container, and found one that talks about sending signals before the container is killed. But, in the end, the container will restart after the specified terminationGracePeriodSeconds .
As a workaround, I could send USR1 before the container is shut down (preStop), and set terminationGracePeriodSeconds way longer than Caddy needs to fetch certs. When the container is finally restarted, it should be instant because Caddy already has the certs.