OCPBUGS-38335: certrotation: avoid using applySecret to catch racy cert updates

[vrutkovs]

applySecret/applyConfigMap does Get initially, so instead of using the version we got from informer it refreshes it and may overwrite if other changes were done in parallel.

Instead of using applySecret/applyConfigMap we should be invoking Create/Update here directly. If the informer has outdated version its update would be rejected by etcd and sync function would be restarted

[openshift-ci-robot]

@vrutkovs: This pull request references API-1802 which is a valid jira issue.

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@vrutkovs: This pull request references API-1802 which is a valid jira issue.

In response to this:

applySecret/applyConfigMap does Get initially, so instead of using the version we got from informer it refreshes it and may overwrite if other changes were done in parallel.

Instead of using applySecret/applyConfigMap we should be invoking Create/Update here directly. If the informer has outdated version its update would be rejected by etcd and sync function would be restarted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bertinatto]

This won't record an event anymore, like ApplyConfigMap() does. Would that be something useful for users?

[bertinatto]

caBundleConfigMap is already a copy, and it may have been modified already. Do we really need another DeepCopy() here?

[p0lyn0mial]

Reporting an event on successful update is a good idea.

We don't need to call DeepCopy() here, please remove it.

[vrutkovs]

Done, removed

[bertinatto]

Technically other parts of caBundleConfigMap may have been updated (not only .Data). Should we log the message below in those cases?

[p0lyn0mial]

Why do we need this additional check anyway ? (line 89)
We already know that the update was required. So, if the call succeeded then we can simply report success.

[vrutkovs]

Good idea, we already have modified, so lets use it to emit the event

[bertinatto]

It seems like this change here won't help with the race (?).

Since this was added here and you don't need it anymore, could we revert that PR instead? This would also get rid of the resourceapply changes, which we aren't doing here.

[p0lyn0mial]

+1, we should cleanup and remove unused code like ApplySecretDoNotUse.

[vrutkovs]

Removed

[p0lyn0mial]

Given that we would like to report successful creation as well why not change the code to be more explicit.
For example:

1. we would introduce a new var creationRequired bool or var creationNeeded bool variable.
2. we would set the new variable at line 60
3. we would rename modified to updateRequired or updateNeeded
4. we would introduce a branch before line 89, for example:

if creationRequired {
 create
 report
 assign to `caBundleConfigMap`
 } else if updateRequired {
 update 
 report
 assign to `caBundleConfigMap`
 }

[p0lyn0mial]

Alternatively we could move the creation to line 53.

The creation is a rare operation and immediately after creation the sync loop will be triggered and we can issue an update.

[vrutkovs]

Good idea, now all functions should have exists and modified

[p0lyn0mial]

we don't want to report https://github.com/openshift/library-go/blob/master/pkg/operator/resource/resourceapply/event_helpers.go#L25 anymore ?

[vrutkovs]

Fixed

[bertinatto]

signingCertKeyPairSecret is either new or a deep copy of originalSigningCertKeyPairSecret, so I think you don't need another deep copy here?

[vrutkovs]

good catch, removed

[openshift-ci-robot]

@vrutkovs: This pull request references Jira Issue OCPBUGS-38335, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.18.0) matches configured target version for branch (4.18.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @wangke19

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

applySecret/applyConfigMap does Get initially, so instead of using the version we got from informer it refreshes it and may overwrite if other changes were done in parallel.

Instead of using applySecret/applyConfigMap we should be invoking Create/Update here directly. If the informer has outdated version its update would be rejected by etcd and sync function would be restarted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[p0lyn0mial]

The original PR introduced more changes. Not all were remove. Please open a new PR that reverts #1705.

[p0lyn0mial]

why don't want to report https://github.com/openshift/library-go/blob/master/pkg/operator/resource/resourceapply/event_helpers.go#L34 anymore ?

[vrutkovs]

Good point, we get an event that its about to be updated, but not the update result. Added this to the latest commit

[bertinatto]

if !exists instead?

[vrutkovs]

Fixed

[bertinatto]

I think this function could just receive a obj runtime.Object and you could figure out objType and obj using resourcehelper.GuessObjectGroupVersionKind(obj); gvk.Kind and resourcehelper.FormatResourceForCLIWithNamespace(obj) respectively.

So you could do:

emitEvent(c.EventRecorder, actualCABundleConfigMap, "Create", err)

[vrutkovs]

Good idea. Also using FormatResourceForCLI instead of namespaced version as events are namespaced anyway

[bertinatto]

If you do https://github.com/openshift/library-go/pull/1772/files#r1714300480, this would get shorter:

var actualSigningCertKeyPairSecret *corev1.Secret
if !exists {
	actualSigningCertKeyPairSecret, err = c.Client.Secrets(c.Namespace).Create(ctx, signingCertKeyPairSecret, metav1.CreateOptions{})
	emitEvent(c.EventRecorder, "Create", actualSigningCertKeyPairSecret, err)
} else {
	actualSigningCertKeyPairSecret, err = c.Client.Secrets(c.Namespace).Update(ctx, signingCertKeyPairSecret, metav1.UpdateOptions{})
	emitEvent(c.EventRecorder, "Update", actualSigningCertKeyPairSecret, err)
}

[vrutkovs]

to minimize copying important params I introduced "action" which is the only variable there

[bertinatto]

While I'm not familiar with these controllers, I did my best to review this, and to the best of my knowledge, these changes appear to be correct.

/lgtm

[p0lyn0mial]

Instead of this new function I would prefer to reuse reportCreateEvent and reportUpdateEvent.

I think we could open a new PR in which we would:

1. crate a new helpers pkg in library-go/pkg/operator/resource/helpers
2. we would move operator/resource/resourceapply/event_helpers.go to the new pkg (with tests)
3. we would export all report methods.

Then we could remove this file and use the new exported methods directly. WDYT?

[p0lyn0mial]

and we could modify line 70 to:

updateRequired = needsOwnerUpdate || needsMetadataUpdate

[p0lyn0mial]

do we really need this var ?

I think it could be replaced by creationRequired || updateRequired, right ?

[vrutkovs]

Yes. updateRequired means "any part of the secret has changed", but signerUpdated is specific to certificate part (we need to pass it on to trigger CA bundle / target cert updates)

[p0lyn0mial]

sure, I think that the following code:

	// at this point, the secret has the correct signer, so we should read that signer to be able to sign
	signingCertKeyPair, err := crypto.GetCAFromBytes(signingCertKeyPairSecret.Data["tls.crt"], signingCertKeyPairSecret.Data["tls.key"])
	if err != nil {
		return nil, signerUpdated, err
	}

	return signingCertKeyPair, signerUpdated, nil

could be replaced be:

	// at this point, the secret has the correct signer, so we should read that signer to be able to sign
	signingCertKeyPair, err := crypto.GetCAFromBytes(signingCertKeyPairSecret.Data["tls.crt"], signingCertKeyPairSecret.Data["tls.key"])
	if err != nil {
		return nil, creationRequired || updateRequired, err
	}

	return signingCertKeyPair, creationRequired || updateRequired, nil

and we could remove signerUpdated, am I right ?

[vrutkovs]

No, updateRequired || creationRequired is not equivalent to signerUpdated. We set updateRequired = true when annotations change too.

This PR is already growing too large - can we optimize this in a followup?

[p0lyn0mial]

ok, do you also want to move the refactor commit to a new PR ?

[vrutkovs]

Lets leave this version as is and experiment if signerUpdated can be removed in a separate PR.

I think we want more specific messages for signer/cabundle/target too, i.e. Updated contents and Updated metadata probably

[p0lyn0mial]

is this needed here ?

[p0lyn0mial]

ping

[vrutkovs]

Oh, right, no longer needed

[p0lyn0mial]

@vrutkovs could you also open a proof PR in kas-o so that we get a CI signal?

[vrutkovs]

Opened openshift/cluster-kube-apiserver-operator#1721

[p0lyn0mial]

Opened openshift/cluster-kube-apiserver-operator#1721

the pr was created one week ago and e2e tests haven't been executed. Could you address #1772 (comment) and then pull this pr into 1721 and kick off the tests?

[p0lyn0mial]

/lgtm

let's wait for openshift/cluster-kube-apiserver-operator#1721 before merging.

[vrutkovs]

/test unit

[p0lyn0mial]

does c.CertCreator.NeedNewTargetCertKeyPair persist any resource in etcd (does it use Apply* method?)

[vrutkovs]

No, we don't even pass client there. It decides on the contents of the secret whether it needs to be regenerated

[p0lyn0mial]

ok, thanks.

[p0lyn0mial]

this comment is outdated.

[p0lyn0mial]

ping

[vrutkovs]

Fixed

[p0lyn0mial]

/lgtm

let's wait for openshift/cluster-kube-apiserver-operator#1721 before merging.

[openshift-ci]

@vrutkovs: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[soltysh]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bertinatto, p0lyn0mial, soltysh, vrutkovs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/operator/OWNERS [soltysh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@vrutkovs: Jira Issue OCPBUGS-38335: All pull requests linked via external trackers have merged:

• openshift/library-go#1772
• openshift/library-go#1773

Jira Issue OCPBUGS-38335 has been moved to the MODIFIED state.

In response to this:

applySecret/applyConfigMap does Get initially, so instead of using the version we got from informer it refreshes it and may overwrite if other changes were done in parallel.

Instead of using applySecret/applyConfigMap we should be invoking Create/Update here directly. If the informer has outdated version its update would be rejected by etcd and sync function would be restarted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.