File watcher for CA bundle PEM

Hi again!

I notice that most of the files defined under the identity sections in the Controller and Router configuration YAML file are watched by the Ziti application for modifications so they can be reloaded when certs are renewed.

The only file that doesn't appear to be watched is identity.ca. Is there a reason for this ? I appreciate the CA bundle will not change as frequently as the other PKI files but It just means that when the CA bundle file is modified (on CA renewal) that a full restart of the application is required.

For example, if i modify identity.cert i see the following logs in the Controller.

{"file":"github.com/openziti/identity@v1.0.105/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"/etc/ziti/pki/server.chain.pem\"","time":"2025-07-25T13:09:28.147Z"}
{"file":"github.com/openziti/identity@v1.0.105/identity_watcher.go:65","func":"github.com/openziti/identity.(*ID).startWatching.func1","level":"info","msg":"identity file watcher received event, queuing reload: WRITE         \"/etc/ziti/pki/server.chain.pem\"","time":"2025-07-25T13:09:28.147Z"}

But if i modify identity.ca I see no such logs and i must restart the Ziti controller application to apply the change.

Hi @farmhouse, I expect this is just an oversight but it might be on purpose. I would have thought the ca bundle is watched too. @andrew.martinez is this perhaps intentional that it’s not watched or is it just a missing log statement maybe?

I wrote the code that enumerates the files to watch, and I don’t recall considering the CA file for watching. We were specifically attempting to support external life cycle certificate/private key rotation.

I wouldn’t expect the CA bundle to change often or at all, unless there is a root CA cutover, which should be a once-in-a-decade event or so.

Even during certificate extension, the CA bundle is not updated.

I’m considering what it would mean to watch this file. A few thoughts come to mind:

  • updating this file incorrectly can cause the routers/controllers to never reconnect - can be mitigated by careful updating of the file or re-enrolling.
  • people can still update the CA bundle and restart the router/controller - not elegant but workable
  • I really don’t like the idea of manual CA bundle editing

(router/controller are both included as the code that interacts w/ the identity configuration is share between both components)

On the last point, updating the CA bundle for a controller is possible. It would require new messaging to routers and handlers in the routers. If we did do that, we would need to add verification on startup/reload to make sure the CA bundle won’t cause a cascading failure where routers stop trusting controllers.

One one hand I could see some PKI oriented users wanting complete control, but I also know that most users aren’t PKI experts and just want it to work.