-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure a consistent TLS configuration #173
Conversation
Previously, it was possible for the http.Client's Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against a configured set of CA certificates. This fix ensures that the http.Client's Transport is always consistent with the configured CA cert chain, but introducing a periodic TLS configuration checker that is started as part of the backend's initialization. The periodic checker provides a signal handler that will update the backend's TLS configuration on SIGHUP. Other fixes: - only update the client's transport when the CA certificate pool has changed.
Hi @anthonyralston , we are hoping to have this PR merged this week. I can't say for sure when the Vault release will be out. We should have more information about that soon. |
I'd be curious to learn why is timer based polling needed? In the scenario where the CA certificate is read from a local file, the logic in this PR might have some unintentional interactions with the previous logic in If I understood correctly, the go routine in this PR would result in a call vault-plugin-auth-kubernetes/backend.go Lines 44 to 46 in eabe602
In general, I suppose CA certificate is not updated too often. It is likely very long-lived certificate. Long(ish) 1 hour period made sense if having reload at all. I guess the whole reload logic only became relevant now due to the error in storage backend - causing it not to be loaded at all. I guess the |
In the case where the CA source is a local file, then yes. Ideally the read would only happen whenever the file has changed, not based on an arbitrary TTL. There would only ever be a 30 second delay between CA certificate rotation in that case.
Yes, that is definitely one approach, but we would prefer to have the setup/update of the |
In the other use case, where CA is in config: does it make sense to poll storage every 30 seconds, since storage cannot change without us knowing about it? |
Or is it so that it will poll storage every 30 seconds, regardless of CA being on disk or in config? Is that OK in performance wise? |
It is possible that a config update might fail to update the TLS config, in this case the poller will ensure that the issue is mitigated without the need for user intervention. We feel that the cost of an extra storage request and cert parsing is worth it here. |
Ok, fair enough! The issue could be avoided e.g. by checking only at |
Further clarify the docs related to the horizon vars.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM. Lots of comments on subtle concurrency concerns, so I may have got some wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Just some non-functional nit suggestions
* Ensure a consistent TLS configuration for k8s API requests Previously, it was possible for the http.Client's Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against a configured set of CA certificates. This fix ensures that the http.Client's Transport is always consistent with the configured CA cert chain, by introducing a periodic TLS configuration checker that is started as part of the backend's initialization. Other fixes: - only update the client's transport when the CA certificate pool has changed. Co-authored-by: Tom Proctor <[email protected]>
* Ensure a consistent TLS configuration for k8s API requests Previously, it was possible for the http.Client's Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against a configured set of CA certificates. This fix ensures that the http.Client's Transport is always consistent with the configured CA cert chain, by introducing a periodic TLS configuration checker that is started as part of the backend's initialization. Other fixes: - only update the client's transport when the CA certificate pool has changed. Co-authored-by: Tom Proctor <[email protected]>
* Ensure a consistent TLS configuration for k8s API requests Previously, it was possible for the http.Client's Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against a configured set of CA certificates. This fix ensures that the http.Client's Transport is always consistent with the configured CA cert chain, by introducing a periodic TLS configuration checker that is started as part of the backend's initialization. Other fixes: - only update the client's transport when the CA certificate pool has changed. Co-authored-by: Tom Proctor <[email protected]>
#190) * Ensure a consistent TLS configuration (#173) (#178) * Ensure a consistent TLS configuration for k8s API requests Previously, it was possible for the http.Client's Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against a configured set of CA certificates. This fix ensures that the http.Client's Transport is always consistent with the configured CA cert chain, by introducing a periodic TLS configuration checker that is started as part of the backend's initialization. Other fixes: - only update the client's transport when the CA certificate pool has changed. Co-authored-by: Tom Proctor <[email protected]> * Repo hygiene (#162) * update go and k8s versions go 1.19.1 k8s up to 1.25.0 * updated x/net and x/sys go get golang.org/x/[email protected] go get golang.org/x/[email protected] * make fmt making gofumpt happy * update chart and vault version Default to k8s 1.25.0 use chart 0.22.0 use vault 1.11.3 * Remove unused import add from cherry-pick --------- Co-authored-by: Tom Proctor <[email protected]> Co-authored-by: Theron Voran <[email protected]>
Previously, it was possible for the http.Client's Transport to be missing the necessary root CAs to ensure that all TLS connections between the auth engine and the Kubernetes API were validated against a configured set of CA certificates.
This fix ensures that the http.Client's Transport is always consistent with the configured CA cert chain, by introducing a periodic TLS configuration checker that is started as part of the backend's initialization.
Other fixes:
Closes #169 #170