New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ceph: fix kms auto-detection when full TLS #8867
Conversation
e5d0b24
to
94b7e27
Compare
e3ca518
to
4c5d090
Compare
This pull request has merge conflicts that must be resolved before it can be merged. @leseb please rebase it. https://rook.io/docs/rook/latest/development-flow.html#updating-your-fork |
1691be9
to
4ef2ff3
Compare
4ef2ff3
to
5f81511
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if the Sleep()
calls in the tests are still needed.
If they are, I have generally seen the advice that unit tests that test timeouts should change the timeout value itself so that the test doesn't actually take many seconds to run unnecessarily. I think I've changed them to be on the order of milliseconds (10ms or so) with success on local runs as well as in CI.
5f81511
to
d9f0249
Compare
// Populate TLS config | ||
newConfigWithTLS, removeCertFiles, err := configTLS(clusterdContext, namespace, localSecretConfig) | ||
if err != nil { | ||
return nil, errors.Wrap(err, "failed to initialize vault tls configuration") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be simpler to remove cert files here in the error condition, instead of inside configTLS()
?
return nil, errors.Wrap(err, "failed to initialize vault tls configuration") | |
removeCertFiles() | |
return nil, errors.Wrap(err, "failed to initialize vault tls configuration") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think removing the files from this function is the better design so that the calling function doesn't have to worry about handling special behavior. It seems like it's normal practice to me for go functions to clean up after themselves.
But I think what you're seeing is that modifying the function in the future, we could forget to keep removeCertFiles()
before returning an error in configTLS()
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The caller already owns calling removeCertFiles()
on success, so it seems reasonable to cleanup here on failure as well. Like you said, cleaning up could be missed in an individual error condition inside the method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The cleanup is not missed anymore since we use defer
in configTLS()
now.
// Populate TLS config | ||
newConfigWithTLS, removeCertFiles, err := configTLS(clusterdContext, namespace, localSecretConfig) | ||
if err != nil { | ||
return nil, errors.Wrap(err, "failed to initialize vault tls configuration") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think removing the files from this function is the better design so that the calling function doesn't have to worry about handling special behavior. It seems like it's normal practice to me for go functions to clean up after themselves.
But I think what you're seeing is that modifying the function in the future, we could forget to keep removeCertFiles()
before returning an error in configTLS()
...
d9f0249
to
76214cd
Compare
76214cd
to
db6413f
Compare
pkg/daemon/ceph/osd/kms/vault.go
Outdated
// The signature has named result parameters to help building 'defer' statements especially for the | ||
// content of removeCertFiles which needs to be populated by the files to remove if no errors and be | ||
// nil on errors | ||
func configTLS(clusterdContext *clusterd.Context, namespace string, config map[string]string) (newCconfig map[string]string, removeCertFiles removeCertFilesFunction, retErr error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: typo?
func configTLS(clusterdContext *clusterd.Context, namespace string, config map[string]string) (newCconfig map[string]string, removeCertFiles removeCertFilesFunction, retErr error) { | |
func configTLS(clusterdContext *clusterd.Context, namespace string, config map[string]string) (newConfig map[string]string, removeCertFiles removeCertFilesFunction, retErr error) { |
err := file.Close() | ||
if err != nil { | ||
logger.Errorf("failed to close file %q. %v", file.Name(), err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the files are definitely still open when this is called, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we don't close them anywhere else.
assert.NoFileExists(t, config["VAULT_CLIENT_KEY"]) | ||
}) | ||
|
||
t.Run("advanced TLS config with temp file creation error", func(t *testing.T) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm having some trouble following what this test is checking for. Let's discuss in huddle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok but essentially it's testing that previously created files are removed if any invocation in conifgTLS fails. It's testing the cleanup.
db6413f
to
8a6b332
Compare
When TLS is used and includes a caert, client key/cert, we need to copy the content of the secret to a file in the operator's container filesystem so that we can build the TLS config and thus the HTTP Client, which reads those files. Also, removing the files after each API call so they don't persist on the filesystem forever. Signed-off-by: Sébastien Han <seb@redhat.com>
8a6b332
to
61afadd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there an upstream need to backport to 1.6? If not, let's just backport to 1.7.
ceph: fix kms auto-detection when full TLS (backport #8867)
Description of your changes:
When TLS is used and includes a caert, client key/cert, we need to copy
the content of the secret to a file in the operator's container
filesystem so that we can build the TLS config and thus the HTTP Client,
which reads those files.
Also, removing the files after each API call so they don't persist on
the filesystem forever.
Signed-off-by: Sébastien Han seb@redhat.com
Which issue is resolved by this Pull Request:
Resolves #
Checklist:
make codegen
) has been run to update object specifications, if necessary.