[WIP] allow server cert rotation without a restart

[krasi-georgiev]

I did a quick test and reading the file from disk on every request is ok sinse the kernel puts this in the pagecache so in practice it reads the file from memory when not changed and reads it from disk when it is replaced with a new one.

• tests
• refactor to reduce the performance overhead
• try to implement something similar for the CA rotation.
• the CA rotation works only for the client CAs and not for the server CAs. Missing GetServerConfig as mentioned in proposal: Add GetClientCAs to tls.Config golang/go#16066 (comment)
  Tracking issue: proposal: crypto/tls: add GetConfigForServer callback to *tls.Config golang/go#22836
  should be able to use VerifyPeerCertificate for this - proposal: crypto/tls: add GetConfigForServer callback to *tls.Config golang/go#22836 (comment)

related modules that use the same idea.
https://godoc.org/golang.org/x/crypto/acme/autocert
https://github.com/johanbrandhorst/certify

I did a quick test and reading the same file from disk is not a problem as the kernel caches it in the memory when the file is not changed.

Test for reading the same file again doesn't hit the disk

func Test_io(t *testing.T) {
	pid := os.Getpid()
	for {
		_, err := ioutil.ReadFile("env")
		testutil.Ok(t, err)

		io, err := ioutil.ReadFile("/proc/" + strconv.Itoa(pid) + "/io")
		testutil.Ok(t, err)

		fmt.Println(string(io))
		time.Sleep(500 * time.Millisecond)
	}
}

[povilasv]

🥇

[brancz]

This reads and parses the certificates on every request. I feel it would be appropriate to do this periodically instead and atomically swap them.

[krasi-georgiev]

This reads and parses the certificates on every request. I feel it would be appropriate to do this periodically instead and atomically swap them.

Yep, and it was the second item on my to do list in the PR description 😸

refactor to reduce the performance overhead

I already refactored it to compare mod times and reload only when different, but will think how to improve even more.
I think this is only important with the receiver which receives many requests per second all other components should be fine even with this approach right?
I am thinking to add some delay arg which would be used only by the receiver.

by the way currently the Prometheus scrape client does this with every request which I agree should be improved.
https://github.com/prometheus/common/blob/2afc453a9de43c46dadd462998d096e52cd4e4e3/config/http_config.go#L348

[brancz]

Sorry was too hasty. All good :)

[GiedriusS]

I guess this is still a work in progress because of these comments?

[krasi-georgiev]

yep one of the items in my todo list

test if the CA pool gets updated with the ponter

[bwplotka]

Do we have a story for compatible rotation? e.g how this will work between server and client? (: e.g does the rotation has to happen in the same time for both srv and client?

[krasi-georgiev]

Do we have a story for compatible rotation? e.g how this will work between server and client? (: e.g does the rotation has to happen in the same time for both srv and client?

good point. I think Thanos should only be responsible for rotating the certs when new ones are presented the rest should be handled by the config management.

All that said at the moment the setup allows a single CA and maybe it should be changed to allow multiple CA files to allow an easier rotation.

[brancz]

Even if a single file, CAs can usually be loaded as bundles so in reality there are multiple CAs in one file.

[krasi-georgiev]

now after writing the tests I realized that there is another problem.
getConfigForClient and getCertificate are called only with the tls handshake and NOT when sending or receiving data which means that for long running data flow it will never reload the certs as it will reuse the same connection and no new tls handshake will happen.
In this PR I have also added a cli flag so users can set the keep alive setting with MaxConnectionAge which enforces a new TLS hanshake when MaxConnectionAge expires.
New tls handshake is initiated when the connection is interrupted or when the MaxConnectionAge expires.

So with this new info I think there are 3 options:

1. keep the current implementation with a cli flag for MaxConnectionAge
2. run some loop which will restart the server gracefully or drop all connections when it detects tls cert files changes.
3. provide a reload endpoint and leave reloading to external config management.

Again I think this is important mainly for the thanos receiver as I imagine that with all other components a new connection and a new tls handshake would be created with every request so it will reload the certs as expected.

cc @bwplotka, @s-urbaniak

[krasi-georgiev]

@squat , @bwplotka @s-urbaniak waiting for some feedback on which options do you think is best for this implementation.

[s-urbaniak]

@krasi-georgiev Sorry for the late reply. I am voting for option "1. keep the current implementation with a cli flag for MaxConnectionAge"

I believe this is a sensible setting and less disruptive than the other options. Also, it does not require external coordination (someone has to implement that timeout).

Finally cert rotation happens in timespans of minutes, maybe even hours so a MaxConnectionAge in that timespan sounds sensible to me too.

@bwplotka @brancz Do you have additional thoughts or objections?

[bwplotka]

the CA rotation works only for the client CAs and not for the server CAs. Missing GetServerConfig as mentioned in golang/go#16066 (comment)

How did we work around this one?

So I think MaxConnectionAge here might be too short by default (1m), as kind of defies any KeepAlive logic.. but maybe something longer would make sense. Also something I would like to check if MaxConnectionAge is actually accounted for during long-running requests, although I think we don't do those longer than X minutes.

What's the requirement for those cert rotations in terms of delay? I think ~minutes is ok, so maybe we could start with this, but larger MaxConnectionAge

[s-urbaniak]

What's the requirement for those cert rotations in terms of delay? I think ~minutes is ok, so maybe we could start with this, but larger MaxConnectionAge

agreed, the ~minutes ballpark sounds good to me.

[krasi-georgiev]

After a bit of a struggle the tls rotation is implemented with full e2e tests.

As mentioned in the first PR comment server CA rotation is missing becasue it is yet not added in the golang std library so I left a TODO note to add it when it is added in the golang std library. I don't think that this is a blocker for this PR and I will follow up the tracking golang issues for updates.

@squat I also noticed that there are no e2e tests for the reciever TLS, should I add it to this PR or you prefer to open another PR after this one is merged?

[squat]

Looks quite good so far!

[krasi-georgiev]

@squat thanks for the review, addressed all comments.

didn't answer my original question though 😺

@squat I also noticed that there are no e2e tests for the reciever TLS, should I add it to this PR or you prefer to open another PR after this one is merged?

[squat]

let's do it in a new PR to keep the concerns separate :) I can make the PR

[krasi-georgiev]

@brancz @bwplotka any other comments for this PR?

[krasi-georgiev]

ping @bwplotka

[GiedriusS]

@krasi-georgiev are there any numbers on the performance impact of the current implementation? 👀 does Windows exhibit the same behavior with caching?

[krasi-georgiev]

@krasi-georgiev are there any numbers on the performance impact of the current implementation?

probably, but only for single syscall to get the ModTime() so I would say negligible. If anyone wants to disable this can set a high enough --grpc-server-max-connection-age so that the connection is persistent and it never checks for new certs.

does Windows exhibit the same behavior with caching?

I would say yes, but is windows even suported by Thanos?
Last time I tried to run the tests under windoes these failed in many places.

[xunleii]

Thanks for this PR, it is awesome to automatically reload certificates when they are modified.

It works perfectly on Kubernetes with certificates automatically renewed by Cert-Manager 👍
I have tested this PR with a Thanos querier and a Thanos sidecar, using DNS SRV discovery, GRPC TLS and client auth by certiifcates, with all certificates renewed each 5 minutes.

EDIT: Sorry guys, I edit this comment because of huge pebcak on my side ... I have tested this PR and it seems working perfectly !

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. Please comment on status otherwise the issue will be closed in a week. Thank you for your contributions.

[bwplotka]

Still much needed. Looking for more time to review it properly. Help wanted.

…

On Sat, 4 Apr 2020 at 23:35, stale[bot] ***@***.***> wrote: This issue/PR has been automatically marked as stale because it has not had recent activity. Please comment on status otherwise the issue will be closed in a week. Thank you for your contributions. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABVA3O4MJTA5B7WPDWLTIYLRK6Y3NANCNFSM4JDEVZAA> .

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[bwplotka]

It is indeed (:

…

On Thu, 4 Jun 2020 at 10:50, stale[bot] ***@***.***> wrote: Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABVA3OYE7SATENMESBDUAWTRU5U5NANCNFSM4JDEVZAA> .

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[bwplotka]

still valid (:

…

On Mon, 3 Aug 2020 at 11:38, stale[bot] ***@***.***> wrote: Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABVA3O7WWUZXGRE2P4OWMI3R62HR3ANCNFSM4JDEVZAA> .

[stale]

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[bwplotka]

For review, help wanted. Kind Regards, Bartek Płotka (@bwplotka)

…

On Fri, 2 Oct 2020 at 14:54, stale[bot] ***@***.***> wrote: Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward? This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1672 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABVA3O5UKITRY25SMPKGGYDSIXLSXANCNFSM4JDEVZAA> .

[krasi-georgiev]

stale, someone else needs to take over.

[Tachone]

now after writing the tests I realized that there is another problem. getConfigForClient and getCertificate are called only with the tls handshake and NOT when sending or receiving data which means that for long running data flow it will never reload the certs as it will reuse the same connection and no new tls handshake will happen. In this PR I have also added a cli flag so users can set the keep alive setting with MaxConnectionAge which enforces a new TLS hanshake when MaxConnectionAge expires. New tls handshake is initiated when the connection is interrupted or when the MaxConnectionAge expires.

So with this new info I think there are 3 options:

1. keep the current implementation with a cli flag for MaxConnectionAge
2. run some loop which will restart the server gracefully or drop all connections when it detects tls cert files changes.
3. provide a reload endpoint and leave reloading to external config management.

Again I think this is important mainly for the thanos receiver as I imagine that with all other components a new connection and a new tls handshake would be created with every request so it will reload the certs as expected.

cc @bwplotka, @s-urbaniak

Why do we need to set MaxConnectionAge, Is there any problem with the long connection not being closed? the old certificate is no longer used on the established connection, am i wrong?