Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Watch cert files and reload on change #141

Merged
merged 10 commits into from
Mar 6, 2024

Conversation

ycheng-kareo
Copy link
Contributor

The current webhook does not watch for cert renewal changes. When the cert is renewed, the pod must be restarted to reload the new cert.

This commit watches the cert files and reloads the cert when a change is detected.

See: #135

The current webhook does not watch for cert renewal changes.
When the cert is renewed, the pod must be restarted to reload
the new cert.

This commit watches the cert files and reloads the cert when a
change is detected.

See: kubernetes-sigs#135
Copy link

linux-foundation-easycla bot commented Feb 8, 2024

CLA Signed

The committers listed above are authorized under a signed CLA.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Feb 8, 2024
@k8s-ci-robot k8s-ci-robot added the sig/windows Categorizes an issue or PR as relevant to SIG Windows. label Feb 8, 2024
@k8s-ci-robot
Copy link
Contributor

Welcome @ycheng-kareo!

It looks like this is your first PR to kubernetes-sigs/windows-gmsa 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/windows-gmsa has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 8, 2024
@jsturtevant
Copy link
Contributor

@ycheng-kareo thank you! can you sign the CLA so we can review and run the tests?

@ycheng-kareo
Copy link
Contributor Author

ycheng-kareo commented Feb 8, 2024 via email

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Feb 9, 2024
@ycheng-kareo
Copy link
Contributor Author

@jsturtevant not sure if you had a chance to review the changes yet. any feedback or changes you'd like to see? thank you!

@jsturtevant
Copy link
Contributor

Thanks for the ping, I wasn't notified via the email notifications that the CLA was signed. I will take a look today

Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution! It would be nice to have an e2e tests for this as well. Could you either add one or open an issue so we can track that as a follow-up?

I was also wondering if this is something that should be put behind a cli-flag so it's an opt in feature? I am not sure what my thoughts are here. @marosset @aravindhp?

admission-webhook/cert_reloader.go Show resolved Hide resolved
admission-webhook/cert_reloader.go Outdated Show resolved Hide resolved
@aravindhp
Copy link

I was also wondering if this is something that should be put behind a cli-flag so it's an opt in feature?

This seems like a new feature addition so my vote is to put this behind a cli-flag that defaults to off. With more testing we can consider making this feature GA and defaulting to on if needed.

logging the failure silently may give a false sense that the cert
watcher is watching the files when in fact it isn't. it's better to
fail loudly so the user's aware and react accordingly
@ycheng-kareo
Copy link
Contributor Author

i'm going to work on adding the cli flag and the e2e test

the cert reload is a new feature that could negatively impact the
startup of the webhook. the -cert-reload CLI flag defaults to off
to avoid surprises. once mature, we can default to on
@ycheng-kareo
Copy link
Contributor Author

still working on the e2e test. stay tuned

@ycheng-kareo
Copy link
Contributor Author

@jsturtevant added e2e test. please provide feedback. thanks!

// apply the new cert & key pair
renderedTemplate := renderTemplate(t, testConfig, newSecretTemplate)
success, _, _ := applyManifest(t, renderedTemplate)
assert.True(t, success)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this ensures the secret got applied correctly, Do we also need to check that the webhook got the secret and is still running?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i need some pointers for this. what's a good way to check the webhook got the secret and is still running?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit involved since we need to:

As a bonus (maybe seperate test), we could also verify that requests to the webhook always return during this process. I.e we don't drop requests during rotation.

This is a bit involved so if you want to skip it, we can resolve the remaining comments, merge the PR and I can do a follow up after but if you up for the challenge that works too

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i'm going to skip it in the interest of getting this PR merged so my colleague can move forward with his task. i'm a slow coder and don't want to hold everyone up. really appreciate the detailed pointers getting me this far and your willingness to do the follow-up 🙏

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could you add a TODO with the comments about for this test? Then I think we are good to go.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just pushed up the comments. formatting is somehow screwed up. this also removed your lgtm

@jsturtevant
Copy link
Contributor

/ok-to-test

not sure if this will let GH actions run every time a new commit is pushed but worth a shot

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Feb 28, 2024
if someone uses the --cert-reload arg with an older version,
it will not work
Copy link
Contributor

@jsturtevant jsturtevant left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 1, 2024
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 1, 2024
@jsturtevant
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 1, 2024
@jsturtevant
Copy link
Contributor

/assign @aravindhp @marosset
for a quick look to make sure I didn't miss anything. I will follow up on the e2e test after this merges

@marosset
Copy link
Contributor

marosset commented Mar 6, 2024

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: marosset, ycheng-kareo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 6, 2024
@k8s-ci-robot k8s-ci-robot merged commit a6ef6f8 into kubernetes-sigs:master Mar 6, 2024
10 checks passed
Copy link

@aravindhp aravindhp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except for a comment.

charts/gmsa/templates/deployment.yaml Show resolved Hide resolved
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants