Skip to content

Plumb dynamic SNI certificates #83627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 23, 2019
Merged

Plumb dynamic SNI certificates #83627

merged 1 commit into from
Oct 23, 2019

Conversation

jackkleeman
Copy link
Contributor

@jackkleeman jackkleeman commented Oct 8, 2019
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR is initial plumbing towards allowing apiserver SNI serving certificates to be reloaded from disk. We change the SNI map in the SecureServingInfo to be a list of DynamicSNICertKeyContentProvider, which can return explicit SNI names, and currently is implemented by a static provider that doesn't re-read off of disk, but this can change in a subsequent PR which will add a dynamic provider.

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 8, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @jackkleeman. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/apiserver area/dependency Issues or PRs related to dependency changes sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 8, 2019
@k8s-ci-robot k8s-ci-robot requested review from CaoShuFeng, smarterclayton and a team October 8, 2019 18:07
@jackkleeman
Copy link
Contributor Author

/assign @deads2k

@jackkleeman jackkleeman changed the title Sni cert reload Plumb dynamic SNI certificates Oct 8, 2019
@jackkleeman jackkleeman mentioned this pull request Oct 13, 2019
Closed
4 tasks
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 17, 2019
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 17, 2019
jackkleeman
jackkleeman commented Oct 20, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/named_certificates_test.go
explicitNames []string // as --tls-sni-cert-key explicit names
}

func TestBuiltNamedCertificates(t *testing.T) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Simply moved from staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go and updated to build cert providers

@cblecker cblecker removed the request for review from a team October 21, 2019 03:41
@deads2k
Copy link
Contributor

deads2k commented Oct 21, 2019

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 21, 2019
@jackkleeman
Plumb dynamic SNI certificates
84bc6b1 
We create and use a dynamic certificate provider for the SNI serving
certificates. Currently we only use static serving certificate
providers, so the files are not reloaded, but we should be able to move
to a provider that is able to reload later on.
@deads2k
Copy link
Contributor

deads2k commented Oct 22, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 22, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, jackkleeman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 22, 2019
@jackkleeman
Copy link
Contributor Author

/retest

3 similar comments
@jackkleeman
Copy link
Contributor Author

/retest

@jackkleeman
Copy link
Contributor Author

/retest

@jackkleeman
Copy link
Contributor Author

/retest

@jackkleeman jackkleeman mentioned this pull request Oct 22, 2019
Merged
@jackkleeman
Copy link
Contributor Author

/retest

1 similar comment
@jackkleeman
Copy link
Contributor Author

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit 43c9c07 into kubernetes:master Oct 23, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Oct 23, 2019
@jackkleeman jackkleeman mentioned this pull request Nov 12, 2019
Closed
6 tasks
@liyuerich liyuerich mentioned this pull request Aug 27, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k deads2k left review comments

@CaoShuFeng CaoShuFeng Awaiting requested review from CaoShuFeng

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/dependency Issues or PRs related to dependency changes cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.
4 participants
@jackkleeman @k8s-ci-robot @deads2k @fejta-bot