Skip to content
This repository has been archived by the owner on Oct 10, 2023. It is now read-only.

Do not update certificates on filesystem if content is identical. #2584

Merged
merged 1 commit into from
Jun 9, 2022
Merged

Do not update certificates on filesystem if content is identical. #2584

merged 1 commit into from
Jun 9, 2022

Conversation

adduarte
Copy link

@adduarte adduarte commented Jun 8, 2022
edited by vijaykatam
Loading

When installing new certificates, even if the file contents
are identical, it will retrigger a a reload of TLS certificates
by the controller-runtime. This causes the controller-runtime
to reload TLS certificates everytime the webhook tls are managed.

This pr fixes that by only writing the certificates to the filesystem
if the contents of the file (certificates) have actually changed.

This pr also increases the management frequency from 1 minute to
90 minutes

Which issue(s) this PR fixes

Fixes #2570

Describe testing done for PR

local unit test
deployed aws cluster and pointed addons-manager to it. then manually removed tls.crt and tls.key files and observed the files succesfully be re-written, repeated same test but instead of removing file, changed contents of file and observed files being re-written.
Also observed that if files where unchanged, they were NOT rewritten at management time.

Release note

package-based-lcm: Fix constant reloading of certificates of controller-runtime by only changing certs on filesystem if contents have changed.

PR Checklist

  • Squash the commits into one or a small number of logical commits
  • Use good commit messages
  • Ensure PR contains terms all contributors can understand and links all contributors can access

Additional information

Special notes for your reviewer

@adduarte adduarte requested review from a team as code owners June 8, 2022 18:08
@adduarte adduarte mentioned this pull request Jun 8, 2022
Closed
3 tasks
vijaykatam
vijaykatam reviewed Jun 8, 2022
View reviewed changes
Copy link
Contributor

@vijaykatam vijaykatam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor comments. Could you update issue with more details? It is completely empty.

pkg/v1/webhooks/certificates.go Show resolved Hide resolved
@codecov
Copy link

codecov bot commented Jun 8, 2022
edited
Loading

Codecov Report

Merging #2584 (d43335b) into main (0c20ca1) will decrease coverage by 0.03%.
The diff coverage is 44.73%.

@@            Coverage Diff             @@
##             main    #2584      +/-   ##
==========================================
- Coverage   42.58%   42.54%   -0.04%     
==========================================
  Files         401      401              
  Lines       39796    39834      +38     
==========================================
+ Hits        16948    16949       +1     
- Misses      21261    21286      +25     
- Partials     1587     1599      +12
Impacted Files Coverage Δ
pkg/v1/webhooks/certificates.go 15.95% <44.73%> (+8.75%) ⬆️
...ons/controllers/packageinstallstatus_controller.go 80.64% <0.00%> (-2.16%) ⬇️
addons/controllers/clusterbootstrap_controller.go 68.60% <0.00%> (-0.99%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0c20ca1...d43335b. Read the comment docs.

@adduarte adduarte force-pushed the issue_2570 branch 2 times, most recently from 84df175 to 132a292 Compare June 8, 2022 22:58
vijaykatam
vijaykatam approved these changes Jun 9, 2022
View reviewed changes
Copy link
Contributor

@vijaykatam vijaykatam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Rebase for CI fix.

Do not update certificates on filesystem if content is identical.
d43335b 
When installing new certificates, even if the file contents
are identical, it will retrigger a a reload of TLS certificates
by the controller-runtime. This causes the controller-runtime
to reload TLS certificates everytime the webhook tls are managed.

This pr fixes that by only writing the certificates to the filesystem
if the contents of the file (certificates) have actually changed.

This pr also increases the management frequency from 1 minute to
90 minutes
@shyaamsn shyaamsn added the ok-to-merge PRs should be labelled with this before merging label Jun 9, 2022
@adduarte adduarte merged commit 03a7cb1 into vmware-tanzu:main Jun 9, 2022
ankeesler pushed a commit to ankeesler/tanzu-framework that referenced this pull request Jun 14, 2022
@ankeesler
Do not update certificates on filesystem if content is identical. (vm…
484fac8 
…ware-tanzu#2584)

When installing new certificates, even if the file contents
are identical, it will retrigger a a reload of TLS certificates
by the controller-runtime. This causes the controller-runtime
to reload TLS certificates everytime the webhook tls are managed.

This pr fixes that by only writing the certificates to the filesystem
if the contents of the file (certificates) have actually changed.

This pr also increases the management frequency from 1 minute to
90 minutes
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@vijaykatam vijaykatam vijaykatam approved these changes

Assignees
No one assigned
Labels
cla-not-required ok-to-merge PRs should be labelled with this before merging
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Webhook management causes cuntroller-runtime to reload certs too often
4 participants
@adduarte @vijaykatam @shyaamsn @vmwclabot