feat(helm): add TLS certificate reload interval config

lunarwhite · lunarwhite · commit c30d30fb70c4 · 2026-06-11T19:59:02.000+08:00
Signed-off-by: Yuedong Wu &lt;dwcn22@outlook.com&gt;
diff --git a/deploy/helm/openshell/README.md b/deploy/helm/openshell/README.md
@@ -216,6 +216,7 @@ JWT signing Secret.
 | server.tls.certSecretName | string | `"openshell-server-tls"` | K8s secret (type kubernetes.io/tls) with tls.crt and tls.key for the server. |
 | server.tls.clientCaSecretName | string | `"openshell-server-client-ca"` | K8s secret with ca.crt for client certificate verification (mTLS). Set to "" to disable mTLS and run HTTPS-only (use OIDC for auth instead). |
 | server.tls.clientTlsSecretName | string | `"openshell-client-tls"` | K8s secret mounted into sandbox pods for mTLS to the server. |
+| server.tls.reloadIntervalSecs | int | `0` | Interval in seconds between TLS certificate reload checks. Set to 0 to disable periodic reload (the default). Set to a positive value (e.g., 60 or 600) to enable polling-based hot-reload. The gateway re-reads cert/key/CA files on each tick and atomically swaps the active TLS config when they change. |
 | server.workspaceDefaultStorageSize | string | `""` | Default storage size for the workspace PVC in sandbox pods. Uses Kubernetes quantity syntax (e.g. "2Gi", "10Gi", "500Mi"). Empty = built-in default (2Gi). |
 | service.healthPort | int | `8081` | Gateway health service port. |
 | service.metricsPort | int | `9090` | Gateway metrics service port. |
diff --git a/deploy/helm/openshell/templates/gateway-config.yaml b/deploy/helm/openshell/templates/gateway-config.yaml
@@ -63,6 +63,9 @@ data:
     cert_path             = "/etc/openshell-tls/server/tls.crt"
     key_path              = "/etc/openshell-tls/server/tls.key"
     client_ca_path        = "/etc/openshell-tls/client-ca/ca.crt"
+    {{- if .Values.server.tls.reloadIntervalSecs }}
+    reload_interval_secs  = {{ .Values.server.tls.reloadIntervalSecs }}
+    {{- end }}
     {{- end }}
 
     {{- if .Values.server.auth.allowUnauthenticatedUsers }}
diff --git a/deploy/helm/openshell/values.yaml b/deploy/helm/openshell/values.yaml
@@ -208,6 +208,12 @@ server:
     clientCaSecretName: openshell-server-client-ca
     # -- K8s secret mounted into sandbox pods for mTLS to the server.
     clientTlsSecretName: openshell-client-tls
+    # -- Interval in seconds between TLS certificate reload checks.
+    # Set to 0 to disable periodic reload (the default). Set to a positive
+    # value (e.g., 60 or 600) to enable polling-based hot-reload. The gateway
+    # re-reads cert/key/CA files on each tick and atomically swaps the active
+    # TLS config when they change.
+    reloadIntervalSecs: 0
   # Gateway-minted sandbox JWT signing keys. The certgen hook generates an
   # Ed25519 keypair and writes it to a secret containing signing.pem (PKCS#8),
   # public.pem (SPKI), and kid (plain text). The hook runs in full PKI mode when
diff --git a/docs/reference/gateway-config.mdx b/docs/reference/gateway-config.mdx
@@ -104,6 +104,9 @@ cert_path             = "/etc/openshell/certs/gateway.pem"
 key_path              = "/etc/openshell/certs/gateway-key.pem"
 client_ca_path        = "/etc/openshell/certs/client-ca.pem"
 require_client_auth   = false
+# Polling interval in seconds for hot-reloading TLS certificates.
+# Set to 0 to disable reload (the default).
+# reload_interval_secs = 600
 
 [openshell.gateway.gateway_jwt]
 signing_key_path = "/etc/openshell/jwt/signing.pem"
@@ -160,6 +163,7 @@ compute_drivers       = ["kubernetes"]
 cert_path      = "/etc/openshell-tls/server/tls.crt"
 key_path       = "/etc/openshell-tls/server/tls.key"
 client_ca_path = "/etc/openshell-tls/client-ca/ca.crt"
+# reload_interval_secs = 600  # opt-in: polling interval for TLS cert hot-reload
 
 [openshell.drivers.kubernetes]
 namespace                      = "agents"
