Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Add functionality to dynamically reload the VPA certs #3462

Closed
wants to merge 3 commits into from
Closed

[WIP] Add functionality to dynamically reload the VPA certs #3462

wants to merge 3 commits into from

Conversation

surajnarwade
Copy link

@surajnarwade surajnarwade commented Aug 26, 2020
edited
Loading

This PR adds the functionality of dynamically reloading the tls certificates for VPA admission controller.

How does it work?

  • cert-manager or any other mechanism updates the certs in secrets, fsnotify watcher will watch at /etc/tls-certs (where secrets are mounted) and triggers an event if certs are updated

  • Once, certs are updated, reload function will again reload new certs

  • callback hook GetCertificate in tls.Config is used to get the new certs

Reference

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 26, 2020
@k8s-ci-robot
Copy link
Contributor

Welcome @surajnarwade!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Aug 26, 2020
@surajnarwade surajnarwade changed the title Add functionality to automatically renew the VPA certs Add functionality to dynamically reload the VPA certs Aug 26, 2020
@surajnarwade surajnarwade marked this pull request as ready for review August 26, 2020 13:46
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 26, 2020
arjunrn
arjunrn reviewed Aug 28, 2020
View reviewed changes
vertical-pod-autoscaler/pkg/admission-controller/certs.go
}
}()

if err := watcher.Add("/etc/tls-certs"); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You probably don't want this hardcoded. You should get the directories of both the cert and key and set watches on them.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 I think you want those as flags passed in to the KeyPairReloader

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, I will update it 👍

@arjunrn
Copy link
Contributor

arjunrn commented Aug 28, 2020

How about a test where an KeyReloader is the configuration files are changed and then the test verifies that the key and cert have been reloaded correctly.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2020
bskiba
bskiba suggested changes Oct 2, 2020
View reviewed changes
Copy link
Member

@bskiba bskiba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some comments. I would also like this new behavior hidden behind the flag, so that the default behavior would still be not starting a watch for certs.

Can you describe how you tested this change?

vertical-pod-autoscaler/pkg/admission-controller/certs.go
}
}()

if err := watcher.Add("/etc/tls-certs"); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 I think you want those as flags passed in to the KeyPairReloader

vertical-pod-autoscaler/pkg/admission-controller/certs.go
case event := <-watcher.Events:
// fsnotify.create events will tell us if there are new certs
if event.Op&fsnotify.Create == fsnotify.Create {
klog.Info("Reloading certs")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add verbosity level to the log? And the log could be "New certificate found, reloading certs"

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure 👍

vertical-pod-autoscaler/pkg/admission-controller/certs.go
if event.Op&fsnotify.Create == fsnotify.Create {
klog.Info("Reloading certs")
if err := result.reload(); err != nil {
klog.Infof("Could not load new certs: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be Warning

vertical-pod-autoscaler/pkg/admission-controller/certs.go
@@ -99,7 +98,7 @@ func NewKeypairReloader(config certsConfig) (*KeypairReloader, error) {

// watch for errors
case err := <-watcher.Errors:
klog.Infof("error", err)
klog.Infof("error: %v", err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need more descriptive log here. Probably also warning or error level.
Is there any action to be taken on observing errors from the watcher?

vertical-pod-autoscaler/pkg/admission-controller/main.go
// load certs
kpr, err := NewKeypairReloader(*certsConfiguration)
if err != nil {
klog.Fatal(err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More info in the log needed, like "Failed to load certificate on startup: %v", err

vertical-pod-autoscaler/pkg/admission-controller/main.go
}
// this will check if there are new certs before every tls handshake
t := &tls.Config{GetCertificate: kpr.GetCertificateFunc()}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

server.TLSConfig = &tls.Config{GetCertificate: kpr.GetCertificateFunc()}

you can also do it above:
server := &http.Server{
Addr: fmt.Sprintf(":%d", *port),
TLSConfig: &tls.Config{GetCertificate: kpr.GetCertificateFunc()},
}

One more thing is that the KeypairReloader could have a GetTLSConfig function and then we could simply have:

server := &http.Server{
Addr: fmt.Sprintf(":%d", *port),
TLSConfig: kpr.GetTLSConfig(),
}

vertical-pod-autoscaler/pkg/admission-controller/main.go
}
// this will check if there are new certs before every tls handshake
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, this will return up-to-date cert before every handshake, right?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, that's correct, I've updated the comment :)

vertical-pod-autoscaler/pkg/admission-controller/certs.go

// GetCertificateFunc will return function which will be used as tls.Config.GetCertificate
func (kpr *KeypairReloader) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since clientHello is unused, you can replace it with underscore

@bskiba bskiba added kind/feature Categorizes issue or PR as related to a new feature. area/vertical-pod-autoscaler labels Oct 2, 2020
@mwielgus
Copy link
Contributor

Ping.

@surajnarwade
Copy link
Author

@bskiba , @mwielgus thanks for all the reviews, sorry could not get back to PR earlier. I will update the PR now

@surajnarwade surajnarwade changed the title Add functionality to dynamically reload the VPA certs [WIP] Add functionality to dynamically reload the VPA certs Oct 26, 2020
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 26, 2020
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 26, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: surajnarwade
To complete the pull request process, please assign krzysied after the PR has been reviewed.
You can assign the PR to them by writing /assign @krzysied in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 24, 2021
@mwielgus
Copy link
Contributor

Closing due to inactivity. The PR has been WIP for 3 months.

@mwielgus mwielgus closed this Jan 25, 2021
@mwielgus
Copy link
Contributor

Feel free to reopen if needed.

@L1ghtman2k L1ghtman2k mentioned this pull request Aug 17, 2022
Closed
@bmendoza820 bmendoza820 mentioned this pull request Nov 10, 2023
Closed
@Nuckal777 Nuckal777 mentioned this pull request Mar 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arjunrn arjunrn arjunrn left review comments

@bskiba bskiba bskiba requested changes

@jbartosik jbartosik Awaiting requested review from jbartosik

@krzysied krzysied Awaiting requested review from krzysied

Assignees
No one assigned
Labels
area/vertical-pod-autoscaler cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@surajnarwade @k8s-ci-robot @arjunrn @mwielgus @fejta-bot @bskiba