Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

override least recently used entries when certificate_data dict is full #4232

Merged
merged 2 commits into from
Jul 1, 2019
Merged

override least recently used entries when certificate_data dict is full #4232

merged 2 commits into from
Jul 1, 2019

Conversation

ElvinEfendi
Copy link
Member

@ElvinEfendi ElvinEfendi commented Jun 26, 2019
edited
Loading

What this PR does / why we need it:

For #4191 (comment)

I feel like we can do better than this. Here are some alternatives

  1. Flush all entries right before the loop - this is not good because while we are in the middle of the loop, the existing certificates will not be available and there might be brief downtime for some domains

  2. Get all keys in the dictionary and diff it with hostnames in servers and delete the ones that are not in servers. We can do this, but getting all keys locks the dictionary - if we have many keys/certificates then we might end up locking the dictionary for too long. I presume this is an issue if there are over few thousands of certificates - so maybe this is an acceptable solution?

  3. Refactor the code completely and use the logic we use for backends, a.k.a store the servers as raw JSON and have Nginx workers to periodically fetch raw servers, parse it and store it locally. Then when doing TLS handshake the worker would lookup the certificate from worker memory.

I think 3. is the best option.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jun 26, 2019
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 26, 2019
@codecov-io
Copy link

Codecov Report

❗ No coverage uploaded for pull request base (master@ecce3fd). Click here to learn what that means.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff            @@
##             master    #4232   +/-   ##
=========================================
  Coverage          ?   57.94%           
=========================================
  Files             ?       87           
  Lines             ?     6539           
  Branches          ?        0           
=========================================
  Hits              ?     3789           
  Misses            ?     2322           
  Partials          ?      428

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ecce3fd...e85ccfa. Read the comment docs.

@gork74
Copy link

gork74 commented Jul 1, 2019

We definitely need this. We create a lot of certificates while building and will hit any fixed limit of the certificate store.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 1, 2019
@ElvinEfendi ElvinEfendi changed the title [WIP] override least recently used entries when certificate_data dict is full override least recently used entries when certificate_data dict is full Jul 1, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 1, 2019
@aledbf
Copy link
Member

aledbf commented Jul 1, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 1, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aledbf, ElvinEfendi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit c01effb into kubernetes:master Jul 1, 2019
@ElvinEfendi ElvinEfendi deleted the fix-dynamic-cert-bug branch July 2, 2019 02:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aledbf aledbf Awaiting requested review from aledbf

@bowei bowei Awaiting requested review from bowei

Assignees

@aledbf aledbf

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ElvinEfendi @codecov-io @gork74 @aledbf @k8s-ci-robot