Hi again!
I notice that most of the files defined under the identity
sections in the Controller and Router configuration YAML file are watched by the Ziti application for modifications so they can be reloaded when certs are renewed.
The only file that doesn't appear to be watched is identity.ca
. Is there a reason for this ? I appreciate the CA bundle will not change as frequently as the other PKI files but It just means that when the CA bundle file is modified (on CA renewal) that a full restart of the application is required.
For example, if i modify identity.cert
i see the following logs in the Controller.
{"file":"github.com/openziti/identity@v1.0.105/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE \"/etc/ziti/pki/server.chain.pem\"","time":"2025-07-25T13:09:28.147Z"}
{"file":"github.com/openziti/identity@v1.0.105/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE \"/etc/ziti/pki/server.chain.pem\"","time":"2025-07-25T13:09:28.147Z"}
But if i modify identity.ca
I see no such logs and i must restart the Ziti controller application to apply the change.