OCPBUGS-31384: use update only secret-apply for cert rotation logic #1705
Conversation
openshift-ci
bot
added
the
do-not-merge/work-in-progress
tkashem
force-pushed
the
secret-hack-4.16
branch
3 times, most recently
from
dd8c828
to
808b66e
Compare
|
/test unit |
tkashem
force-pushed
the
secret-hack-4.16
branch
from
808b66e
to
7964d6d
Compare
|
/test unit |
tkashem
force-pushed
the
secret-hack-4.16
branch
2 times, most recently
from
52e5349
to
5930e37
Compare
| // NOTE: DO NOT USE, this is meant to be a short term hack for a very specific use case, | ||
| // and will not work for your application |
There was a problem hiding this comment.
I don't trust that this won't be used anyway, can we do more?
There was a problem hiding this comment.
well, another alternative is for the certrotation package to have its own copy of the function, but then we lose out on any improvements made on the library function.
| @@ -19,6 +26,170 @@ import ( | |||
| "github.com/openshift/library-go/pkg/operator/events" | |||
| ) | |||
|
|
|||
| func TestRotatedSigningCASecretWithMultipleControllers(t *testing.T) { | |||
| ns, name := "ns", "test-signer" | |||
| t.Fatal(err) | ||
| } | ||
|
|
||
| // give it a second so we have a unique signer name, |
There was a problem hiding this comment.
Can we change the way signer names are chosen so that they are practically guaranteed to be unique? We were looking at kube-apiserver logs last week and observed that the issuer name was the same for the external and internal serving certs. Given the issue context, it's not unrealistic to imagine two successive rotations producing signers with the same name.
There was a problem hiding this comment.
It uses time.Now().Unix(), we could use UnixMicro or UnixNano to significantly reduce the chances of issuer name being same.
FWIW, i think it is outside the scope of this PR, i don't think that changing it will have a bad ripple effect on any cluster, not sure any tool relies on the current format
| wg.Wait() | ||
| // controllers are done, we don't expect the signer to change | ||
| secretGot, err := client.Get(context.TODO(), name, metav1.GetOptions{}) |
There was a problem hiding this comment.
Is this test deterministic? I would rather see one or more tests like #1699 that always repro some of the known bad sequences, unless we can reproducibly fuzz different action sequences.
| indexer.Delete(existing) | ||
| if err := indexer.Add(action.GetObject()); err != nil { |
There was a problem hiding this comment.
Is this working around a problem with calling Update directly?
There was a problem hiding this comment.
yes, it ensures that the list cache always has the updated object
| Validity: 24 * time.Hour, | ||
| Refresh: 12 * time.Hour, | ||
| Client: getter, | ||
| Lister: corev1listers.NewSecretLister(indexer), |
There was a problem hiding this comment.
Would it be simpler to provide a test implementation of SecretLister using the fake client's object tracker instead of using client reactor functions to simulate a reflector?
There was a problem hiding this comment.
FWIW the client reactor lets us have more control between a) object changes and b) the cache is updated, not that we are exercising it in this test, but yeah i think we could use a fake SecretLister implementation.
Also I have designed the test to not rely on the reactor in order to synchronize events between controller A and B, so we could definitely use a SecretLister to simplify things
|
/test unit |
tkashem
force-pushed
the
secret-hack-4.16
branch
from
5930e37
to
faf58ee
Compare
tkashem
changed the title
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
The test is deterministic, it reproduces a certain race condition that results in new generation of signer |
tkashem
force-pushed
the
secret-hack-4.16
branch
from
faf58ee
to
c6b5cf6
Compare
| clientset.PrependReactor("update", "secrets", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) { | ||
| switch action := action.(type) { | ||
| case clienttesting.UpdateActionImpl: | ||
| indexer.Delete(existing) |
There was a problem hiding this comment.
indexer.Update doesn't work ?
|
|
||
| // the list cache is synced as soon as we have a delete, create, or update | ||
| clientset.PrependReactor("delete", "secrets", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) { | ||
| if err = indexer.Delete(existing); err != nil { |
There was a problem hiding this comment.
shouldn't we fail the test as soon as a call to delete is made ?
|
|
||
| // give it a second so we have a unique signer name, | ||
| // and also unique not-after, and not-before values | ||
| <-time.After(2 * time.Second) |
There was a problem hiding this comment.
Is this necessary ? The new certificate will have different keys generated so we will be able to detect the change, no?
| t.Errorf("expected the secret type to be: %q, but got: %q", corev1.SecretTypeTLS, secretGot.Type) | ||
| } | ||
|
|
||
| t.Logf("diff: %s", cmp.Diff(secretWant, secretGot)) |
There was a problem hiding this comment.
should we fail if the secrets are different ?
There was a problem hiding this comment.
the owner annotation might get added, so the goal of the test is to verify that the crt/key do not change
| } | ||
|
|
||
| t.Logf("diff: %s", cmp.Diff(secretWant, secretGot)) | ||
| } |
There was a problem hiding this comment.
shouldn't we validate clientset.Actions at the end of the test ?
| clientset.PrependReactor("create", "secrets", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) { | ||
| switch action := action.(type) { | ||
| case clienttesting.CreateActionImpl: | ||
| indexer.Delete(existing) |
There was a problem hiding this comment.
why do we have to perform deletion here ?
| } | ||
| return false, nil, nil | ||
| }) | ||
| clientset.PrependReactor("create", "secrets", func(action clienttesting.Action) (handled bool, ret runtime.Object, err error) { |
There was a problem hiding this comment.
why do we need a custom reactor for create call ?
tkashem
force-pushed
the
secret-hack-4.16
branch
from
c6b5cf6
to
f568ed3
Compare
pkg/operator/certrotation/signer.go
Outdated
| @@ -75,7 +75,7 @@ func (c RotatedSigningCASecret) EnsureSigningCertKeyPair(ctx context.Context) (* | |||
| // apply necessary metadata (possibly via delete+recreate) if secret exists | |||
| // this is done before content update to prevent unexpected rollouts | |||
| if ensureMetadataUpdate(signingCertKeyPairSecret, c.Owner, c.AdditionalAnnotations) && ensureSecretTLSTypeSet(signingCertKeyPairSecret) { | |||
| actualSigningCertKeyPairSecret, _, err := resourceapply.ApplySecret(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) | |||
| actualSigningCertKeyPairSecret, _, err := resourceapply.ApplySecretDoNotUse(ctx, c.Client, c.EventRecorder, signingCertKeyPairSecret) | |||
There was a problem hiding this comment.
we should expose an option on EnsureSigningCertKeyPair that will force the usage of ApplySecretDoNotUse. Otherwise components that pull the new version will be broken.
There was a problem hiding this comment.
yes, that makes sense, this way we have the client opt-in for the new behavior we are adding, so just revendoring library-go does not automatically changes the client to use the new behavior
tkashem
force-pushed
the
secret-hack-4.16
branch
from
f568ed3
to
374ea07
Compare
| client := clientset.CoreV1().Secrets(ns) | ||
| newControllerFn := func(ctrlName string, wrapped *wrapped) *RotatedSigningCASecret { | ||
| recorder := events.NewKubeRecorderWithOptions(clientset.CoreV1().Events(ns), options, "operator", &corev1.ObjectReference{Name: ctrlName, Namespace: ns}) | ||
| return &RotatedSigningCASecret{ |
There was a problem hiding this comment.
I think that we should also create a test for the other controller (RotatedSelfSignedCertKeySecret) , wdyt ?
tkashem
force-pushed
the
secret-hack-4.16
branch
from
374ea07
to
96e8597
Compare
|
@tkashem: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
/approve |
1 similar comment
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, p0lyn0mial, tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
tkashem
changed the title
|
@tkashem: Jira Issue OCPBUGS-31384: All pull requests linked via external trackers have merged: Jira Issue OCPBUGS-31384 has been moved to the MODIFIED state. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/cherry-pick release-4.15 |
|
@p0lyn0mial: #1705 failed to apply on top of branch "release-4.15": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
No description provided.