Improve CertAuthorityWatcher #10403
Merged
Improve CertAuthorityWatcher #10403
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rosstimothy
force-pushed
the
tross/fix_ca_watcher
branch
from
d2eed85 to
724f644
Compare
rosstimothy
force-pushed
the
tross/fix_ca_watcher
branch
3 times, most recently
from
ab57537 to
5b12c90
Compare
espadolini
approved these changes
May 17, 2022
| return trace.Wrap(ctx.Err()) | ||
| case c.CertAuthorityC <- updatedCerts.ToSlice(): | ||
| for _, ca := range cas { | ||
| c.cas[ca.GetType()][ca.GetName()] = ca |
There was a problem hiding this comment.
Do you know if GetCertAuthorities is guaranteed to doublecheck the type of the CAs? If not we should probably doublecheck it here.
There was a problem hiding this comment.
Good catch. Updated to only add them if configured to watch for that ca type now
CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs.
rosstimothy
force-pushed
the
tross/fix_ca_watcher
branch
from
a420eba to
58b5d5c
Compare
jakule
reviewed
May 17, 2022
| @@ -961,13 +956,20 @@ func NewCertAuthorityWatcher(ctx context.Context, cfg CertAuthorityWatcherConfig | |||
|
|
|||
| collector := &caCollector{ | |||
| CertAuthorityWatcherConfig: cfg, | |||
| fanout: NewFanout(), | |||
| cas: make(map[types.CertAuthType]map[string]types.CertAuthority, len(cfg.Types)), | |||
There was a problem hiding this comment.
nit:
Suggested change
| cas: make(map[types.CertAuthType]map[string]types.CertAuthority, len(cfg.Types)), | |
| cas: make(types.CertAuthorityTypeMap, len(cfg.Types)), |
I also don't mind renaming the CertAuthorityTypeMap if you have any better idea.
There was a problem hiding this comment.
Hmm, I didn't know these were added, but looking at them, they seem really specific to the CAWatcher internals and I'm not entirely convinced that they should even be exported.
// CertAuthorityMap maps clusterName -> types.CertAuthority
type CertAuthorityMap map[string]types.CertAuthority
// CertAuthorityTypeMap maps types.CertAuthType -> map(clusterName -> types.CertAuthority)
type CertAuthorityTypeMap map[types.CertAuthType]CertAuthorityMapThere was a problem hiding this comment.
I'm not even entirely sure they are needed any more after migrating to use the fanout. Thoughts on just removing them?
There was a problem hiding this comment.
I don't mind removing them, just map[types.CertAuthType]map[string]types.CertAuthority looks a bit "scary" in my opinion.
| } | ||
|
|
||
| for _, t := range cfg.Types { | ||
| collector.cas[t] = make(map[string]types.CertAuthority) |
There was a problem hiding this comment.
nit:
Suggested change
| collector.cas[t] = make(map[string]types.CertAuthority) | |
| collector.cas[t] = make(CertAuthorityMap) |
lib/services/watcher.go
Outdated
| @@ -980,9 +982,63 @@ type CertAuthorityWatcher struct { | |||
| // caCollector accompanies resourceWatcher when monitoring cert authority resources. | |||
| type caCollector struct { | |||
| CertAuthorityWatcherConfig | |||
| lock sync.RWMutex | |||
| cas map[types.CertAuthType]map[string]types.CertAuthority | |||
There was a problem hiding this comment.
nit:
Suggested change
| cas map[types.CertAuthType]map[string]types.CertAuthority | |
| cas CertAuthorityTypeMap |
jakule
reviewed
May 17, 2022
|
|
||
| cas := make(map[types.CertAuthType]types.CertAuthority) |
There was a problem hiding this comment.
nit:
Suggested change
| cas := make(map[types.CertAuthType]types.CertAuthority) | |
| cas := make(CertAuthorityMap) |
| } | ||
| } | ||
|
|
||
| func (s *remoteSite) watchCertAuthorities(remoteClusterVersion string) error { | ||
| localWatchedTypes, err := s.getLocalWatchedCerts(remoteClusterVersion) | ||
| func (s *remoteSite) watchCertAuthorities(remoteWatcher *services.CertAuthorityWatcher, remoteVersion string, cas map[types.CertAuthType]types.CertAuthority) error { |
There was a problem hiding this comment.
nit:
Suggested change
| func (s *remoteSite) watchCertAuthorities(remoteWatcher *services.CertAuthorityWatcher, remoteVersion string, cas map[types.CertAuthType]types.CertAuthority) error { | |
| func (s *remoteSite) watchCertAuthorities(remoteWatcher *services.CertAuthorityWatcher, remoteVersion string, cas CertAuthorityMap) error { |
|
Unit test failure looks like something related: |
jakule
approved these changes
May 17, 2022
|
@rosstimothy See the table below for backport results.
|
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
rosstimothy
added a commit
that referenced
this pull request
May 18, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
rosstimothy
added a commit
that referenced
this pull request
May 18, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
rosstimothy
added a commit
that referenced
this pull request
May 18, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
rosstimothy
added a commit
that referenced
this pull request
May 24, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
rosstimothy
added a commit
that referenced
this pull request
May 24, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
rosstimothy
added a commit
that referenced
this pull request
May 24, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
rosstimothy
added a commit
that referenced
this pull request
May 24, 2022
* Improve CertAuthorityWatcher CertAuthorityWatcher and its usage are refactored to allow for all the following: - eliminate retransmission of the same CAs - reduce memory usage by having one local watcher per proxy - adds the ability to filter only the CAs that are desired - reduce the time required to send the first CAs watchCertAuthorities now compares all CAs it receives from the watcher with the previous CA of the same type and only sends to the remote site if they are not identical. This is to reduce unnecessary network traffic which can be problematic for a root cluster with a larger number of leafs. The CertAuthorityWatcher is refactored to leverage a fanout to emit events to any number of watchers, each subscription can be for a subset of the configured CA types. The proxy now has only one CertAuthorityWatcher that is passed around similarly to the LockWatcher. This reduces the memory usage for proxies, which prior to this has one local CAWatcher per remote site. updateCertAuthorities no longer waits on the utils.Retry it is provided with before starting to watch CAs. By doing this the proxy no longer has to wait ~8 minutes before it even starts to watch CAs. (cherry picked from commit 1ac0957)
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CertAuthorityWatcher and its usage are refactored to allow for
all the following:
watchCertAuthorities now compares all CAs it receives from the
watcher with the previous CA of the same type and only sends to
the remote site if they are not identical. This is to reduce
unnecessary network traffic which can be problematic for a
root cluster with a larger number of leafs.
The CertAuthorityWatcher is refactored to leverage a fanout
to emit events to any number of watchers, each subscription
can be for a subset of the configured CA types. The proxy
now has only one CertAuthorityWatcher that is passed around
similarly to the LockWatcher. This reduces the memory usage
for proxies, which prior to this has one local CAWatcher per
remote site.
updateCertAuthorities no longer waits on the utils.Retry it
is provided with before starting to watch CAs. By doing this
the proxy no longer has to wait ~8 minutes before it even
starts to watch CAs.