-
Notifications
You must be signed in to change notification settings - Fork 110
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CFE-986: Reload router when defaultDestinationCA is updated #537
base: master
Are you sure you want to change the base?
Conversation
@bharath-b-rh: This pull request references CFE-986 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
cc @ShudiLi |
|
||
if err := r.watchVolumeMountDir(caBundleDir, reloadFn); err != nil { | ||
log.V(0).Error(err, "failed to establish watch on CA bundle certificate directory") | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this return the error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it should, but the other invocations of watchVolumeMountDir isn't returning error. So I assumed here too no need for router to exit with file watcher error. Let me update to return the error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, I didn't look at how other invocations worked. Perhaps not returning an error is the right thing to do here. If the existing usage is correct then we should comment why return nil
is the right thing to do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added the comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that the code comment relates to my earlier review comment, in which I suggest adding a check for empty r.defaultDestinationCAPath
. If I understand you correctly, the length check is not strictly necessary, and the current logic just logs an error if the path is empty. However, an explicit length check would make the logic easier to verify in my opinion and would avoid a scary "failed to establish watch" error message on startup, so I think it is better to add the check.
(In any case, I'm fine having return nil
here.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion incorporated.
3a978ad
to
70e170d
Compare
/retest |
/retest e2e-agnostic |
@bharath-b-rh: The
The following commands are available to trigger optional jobs:
Use
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test e2e-agnostic |
70e170d
to
19d1b7c
Compare
/test e2e-upgrade |
/cc @Miciah |
Tested it with 4.15.0-0.test-2023-11-28-002931-ci-ln-z8rzn72-latest
|
/label qe-approved |
@bharath-b-rh: This pull request references CFE-986 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Thank you @ShudiLi! |
/label docs-approved |
19d1b7c
to
b59b5f6
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for the update. This is a pretty simple PR. As far as my review go: But I'll let @Miciah provide the approve. |
Thank you @gcs278! |
pkg/router/template/router.go
Outdated
// watchCABundleCert watches the directory containing the CA bundle certificate | ||
// and reloads the router if the directory contents change. | ||
func (r *templateRouter) watchCABundleCert() error { | ||
caBundleDir := filepath.Dir(r.defaultDestinationCAPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r.defaultDestinationCAPath
could be empty.
caBundleDir := filepath.Dir(r.defaultDestinationCAPath) | |
if len(r.defaultDestinationCAPath) == 0 { | |
return nil | |
} | |
caBundleDir := filepath.Dir(r.defaultDestinationCAPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion incorporated.
pkg/router/template/router.go
Outdated
caBundleDir := filepath.Dir(r.defaultDestinationCAPath) | ||
|
||
reloadFn := func() { | ||
log.V(0).Info("router slated for reload after detecting changes in CA bundle certificate directory") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a bit more verbose than the log message for reloading the default certificate ("reloading to get updated default certificate") or client CA CRL ("reloading to get updated client CA CRL"). Is there a reason not to keep it simple (e.g., "reloading to get updated default destination CA certificate bundle")?
I do like that the client CA CRL reload function also logs the file name; that might be useful here too.
router/pkg/router/template/router.go
Line 470 in b59b5f6
log.V(0).Info("reloading to get updated client CA CRL", "name", crl.CRLFilename, "have CRLs", haveCRLs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion incorporated.
|
||
if err := r.watchVolumeMountDir(caBundleDir, reloadFn); err != nil { | ||
log.V(0).Error(err, "failed to establish watch on CA bundle certificate directory") | ||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that the code comment relates to my earlier review comment, in which I suggest adding a check for empty r.defaultDestinationCAPath
. If I understand you correctly, the length check is not strictly necessary, and the current logic just logs an error if the path is empty. However, an explicit length check would make the logic easier to verify in my opinion and would avoid a scary "failed to establish watch" error message on startup, so I think it is better to add the check.
(In any case, I'm fine having return nil
here.)
New changes are detected. LGTM label has been removed. |
/retest |
@bharath-b-rh: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
/remove-lifecycle stale |
PR has the changes for enhancement proposed to support custom CA bundle to be used by the router to verify the server's certificate for the
reencrypt
termination type when thedestinationCA
is not configured. A CA certificate bundle withservice CA
and thecustom CA
certificates is made available to router asDefaultDestinationCA
and router should watch the CA bundle file and reload whenever an updated is detected.