-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reload TLS certificates on change #2389
Conversation
1adb1e6
to
cbd3917
Compare
Config: &tls.Config{ | ||
ServerName: c.TLS.ServerName, | ||
}, | ||
CertPath: c.TLS.CertPath, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yurishkuro instead of relying on the driver to load the certs I have changed it to use our TLS loading.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks really good. I have a few questions, and the only place that deserves some attention is at the commented out tests.
pkg/config/tlscfg/reload.go
Outdated
var err error | ||
switch event.Name { | ||
case w.opts.CAPath: | ||
err = addCertToPool(w.opts.CAPath, rootCAs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that if the contents of a CAPath
has changed, the new CA is added to the pool, but the old isn't removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct, the pool does not expose API to remove old certificates
pkg/config/tlscfg/reload.go
Outdated
if !ok { | ||
return | ||
} | ||
w.logger.Error("Watcher got error", zap.Error(err)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also not sure what kind of errors it would get. If those are high-frequency as well, it would probably be better to have them at debug level.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would keep this at error level for now until we find out that these are high-freq (I haven't seen this being logged yet).
Codecov Report
@@ Coverage Diff @@
## master #2389 +/- ##
==========================================
- Coverage 95.60% 95.58% -0.02%
==========================================
Files 206 208 +2
Lines 10549 10676 +127
==========================================
+ Hits 10085 10205 +120
- Misses 396 398 +2
- Partials 68 73 +5
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but still need to review the reload_test
pkg/config/tlscfg/options.go
Outdated
ServerName string `mapstructure:"server_name"` // only for client-side TLS config | ||
ClientCAPath string `mapstructure:"client_ca"` // only for server-side TLS config for client auth | ||
SkipHostVerify bool `mapstructure:"skip_host_verify"` | ||
watcher *certWatcher `mapstructure:"-"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the new name!
@@ -76,6 +76,9 @@ func main() { | |||
consumer.Start() | |||
|
|||
svc.RunAndThen(func() { | |||
if err := options.TLS.Close(); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will this not be already included in storageFactory.Close()?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The storage factory closes the TLS config for the producer. This closes the consumer.
@@ -70,5 +74,6 @@ func (b ProxyBuilder) GetManager() configmanager.ClientConfigManager { | |||
// Close closes connections used by proxy. | |||
func (b ProxyBuilder) Close() error { | |||
b.reporter.Close() | |||
b.tlsCloser.Close() | |||
return b.conn.Close() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could use multiclose.Wrap(a, b, c).Close()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, the reporter didn't implement io.Closer
I have added return error
to it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
845aab6
to
5b95e48
Compare
if err := c.tlsCloser.Close(); err != nil { | ||
c.logger.Error("failed to close TLS certificate watcher", zap.Error(err)) | ||
} | ||
|
||
return nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure why this function keeps logging, would be cleaner to return them via multierr.Wrap, but doesn't need to be in this PR.
Signed-off-by: Pavol Loffay <[email protected]>
4dff444
to
88e5c65
Compare
Resolves jaegertracing/jaeger-operator#1099
This PR enables reloading of TLS certs in Elasticsearch client. The same approach can be used for other clients using our
tlscfg
or we can enable it by default.I have tested this on OCP 4.4 and Jaeger Operator with self-provisioned ES. To trigger the cert change I have removed master certs and wiped out the tmp dir in the operator pod.