Support for hot reloading certificates was added in elastic/elastic-agent-libs#404 and can be used to implement hot certificate reload support to the beats auth extension, as is being done in Fleet Server in elastic/fleet-server#6838.
We should follow the convention set in https://github.com/elastic/fleet-server/pull/6838 and add new ssl.certificate_reload settings:
certificate_reload:
enabled: true # Enabled by default; set to false to disable periodic reload
reload_interval: 5s # How often to re-read cert/key files from disk.
# After rotation, new certs are picked up within
# this interval on the next TLS handshake.We need to decide if we should also enable certificate reload by default or if it must manually be enabled in Beats. We also need to alias the existing ssl.restart_on_cert_change.* to certificate_reload.enabled for backwards compatibility but without actually restarting the process.
This feature can be brought to all Beats if it is simpler, but the immediate need is to support it in the beatsauth extension.
Support for hot reloading certificates was added in elastic/elastic-agent-libs#404 and can be used to implement hot certificate reload support to the beats auth extension, as is being done in Fleet Server in elastic/fleet-server#6838.
We should follow the convention set in
https://github.com/elastic/fleet-server/pull/6838and add newssl.certificate_reloadsettings:We need to decide if we should also enable certificate reload by default or if it must manually be enabled in Beats. We also need to alias the existing
ssl.restart_on_cert_change.*tocertificate_reload.enabledfor backwards compatibility but without actually restarting the process.This feature can be brought to all Beats if it is simpler, but the immediate need is to support it in the beatsauth extension.