ceph: fix kms auto-detection when full TLS #8867
Conversation
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
e5d0b24
to
94b7e27
Compare
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
4 times, most recently
from
e3ca518
to
4c5d090
Compare
|
This pull request has merge conflicts that must be resolved before it can be merged. @leseb please rebase it. https://rook.io/docs/rook/latest/development-flow.html#updating-your-fork |
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
4 times, most recently
from
1691be9
to
4ef2ff3
Compare
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
4ef2ff3
to
5f81511
Compare
There was a problem hiding this comment.
I wonder if the Sleep() calls in the tests are still needed.
If they are, I have generally seen the advice that unit tests that test timeouts should change the timeout value itself so that the test doesn't actually take many seconds to run unnecessarily. I think I've changed them to be on the order of milliseconds (10ms or so) with success on local runs as well as in CI.
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
5f81511
to
d9f0249
Compare
| // Populate TLS config | ||
| newConfigWithTLS, removeCertFiles, err := configTLS(clusterdContext, namespace, localSecretConfig) | ||
| if err != nil { | ||
| return nil, errors.Wrap(err, "failed to initialize vault tls configuration") |
There was a problem hiding this comment.
Would it be simpler to remove cert files here in the error condition, instead of inside configTLS()?
| return nil, errors.Wrap(err, "failed to initialize vault tls configuration") | |
| removeCertFiles() | |
| return nil, errors.Wrap(err, "failed to initialize vault tls configuration") |
There was a problem hiding this comment.
I think removing the files from this function is the better design so that the calling function doesn't have to worry about handling special behavior. It seems like it's normal practice to me for go functions to clean up after themselves.
But I think what you're seeing is that modifying the function in the future, we could forget to keep removeCertFiles() before returning an error in configTLS()...
There was a problem hiding this comment.
The caller already owns calling removeCertFiles() on success, so it seems reasonable to cleanup here on failure as well. Like you said, cleaning up could be missed in an individual error condition inside the method.
There was a problem hiding this comment.
The cleanup is not missed anymore since we use defer in configTLS() now.
| // Populate TLS config | ||
| newConfigWithTLS, removeCertFiles, err := configTLS(clusterdContext, namespace, localSecretConfig) | ||
| if err != nil { | ||
| return nil, errors.Wrap(err, "failed to initialize vault tls configuration") |
There was a problem hiding this comment.
I think removing the files from this function is the better design so that the calling function doesn't have to worry about handling special behavior. It seems like it's normal practice to me for go functions to clean up after themselves.
But I think what you're seeing is that modifying the function in the future, we could forget to keep removeCertFiles() before returning an error in configTLS()...
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
d9f0249
to
76214cd
Compare
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
76214cd
to
db6413f
Compare
pkg/daemon/ceph/osd/kms/vault.go
Outdated
| // The signature has named result parameters to help building 'defer' statements especially for the | ||
| // content of removeCertFiles which needs to be populated by the files to remove if no errors and be | ||
| // nil on errors | ||
| func configTLS(clusterdContext *clusterd.Context, namespace string, config map[string]string) (newCconfig map[string]string, removeCertFiles removeCertFilesFunction, retErr error) { |
There was a problem hiding this comment.
Nit: typo?
| func configTLS(clusterdContext *clusterd.Context, namespace string, config map[string]string) (newCconfig map[string]string, removeCertFiles removeCertFilesFunction, retErr error) { | |
| func configTLS(clusterdContext *clusterd.Context, namespace string, config map[string]string) (newConfig map[string]string, removeCertFiles removeCertFilesFunction, retErr error) { |
| err := file.Close() | ||
| if err != nil { | ||
| logger.Errorf("failed to close file %q. %v", file.Name(), err) | ||
| } |
There was a problem hiding this comment.
All the files are definitely still open when this is called, right?
There was a problem hiding this comment.
Yes, we don't close them anywhere else.
| assert.NoFileExists(t, config["VAULT_CLIENT_KEY"]) | ||
| }) | ||
|
|
||
| t.Run("advanced TLS config with temp file creation error", func(t *testing.T) { |
There was a problem hiding this comment.
I'm having some trouble following what this test is checking for. Let's discuss in huddle.
There was a problem hiding this comment.
Ok but essentially it's testing that previously created files are removed if any invocation in conifgTLS fails. It's testing the cleanup.
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
db6413f
to
8a6b332
Compare
When TLS is used and includes a caert, client key/cert, we need to copy the content of the secret to a file in the operator's container filesystem so that we can build the TLS config and thus the HTTP Client, which reads those files. Also, removing the files after each API call so they don't persist on the filesystem forever. Signed-off-by: Sébastien Han <seb@redhat.com>
leseb
force-pushed
the
kv-auto-detect-with-certs
branch
from
8a6b332
to
61afadd
Compare
ceph: fix kms auto-detection when full TLS (backport #8867)
Description of your changes:
When TLS is used and includes a caert, client key/cert, we need to copy
the content of the secret to a file in the operator's container
filesystem so that we can build the TLS config and thus the HTTP Client,
which reads those files.
Also, removing the files after each API call so they don't persist on
the filesystem forever.
Signed-off-by: Sébastien Han seb@redhat.com
Which issue is resolved by this Pull Request:
Resolves #
Checklist:
make codegen) has been run to update object specifications, if necessary.