Skip to content

Dynamic serving certificates #84200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 24, 2019
Merged

Dynamic serving certificates #84200

merged 2 commits into from
Oct 24, 2019

Conversation

jackkleeman
Copy link
Contributor

@jackkleeman jackkleeman commented Oct 22, 2019
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
This PR means that apiserver serving certificates are reloaded off of disk every minute, and notify the dynamic certificate controller when they change, leading to an updated tls.Config being served. SNI certs will be handled in a later PR

Which issue(s) this PR fixes:
Fixes #66448

Does this PR introduce a user-facing change?:

Reload apiserver serving certificate from disk every minute

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 22, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @jackkleeman. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. area/apiserver area/kubelet area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 22, 2019
@jackkleeman
Copy link
Contributor Author

/assign @deads2k

sttts
sttts reviewed Oct 23, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_serving_content.go Outdated
}

// check to see if we have a change. If the values are the same, do nothing.
existing, ok := c.caBundle.Load().(*certKeyContent)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as in the other pull. Why doesn't this panic when nil is stored?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://goplay.space/#XCopwfJX4wZ

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It shouldn't because of the ok, I thought?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://goplay.space/#ihS7n_GjIQr

@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Oct 23, 2019
@jackkleeman
Dynamic serving certificate
3f5fbfb 
Reload certificate cert and key file from disk every minute and notify
the dynamic certificate controller when they change, allowing serving
tls config to be updated.
@jackkleeman
Add integration test for serving cert rotation
4e99b5d
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 24, 2019
deads2k
deads2k reviewed Oct 24, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_serving_content.go
}

// check to see if we have a change. If the values are the same, do nothing.
existing, ok := c.servingCert.Load().(*certKeyContent)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sttts are you happy with this? I refactored the other one, but this may work.

@jackkleeman you can match the other one and be golden.

@deads2k
Copy link
Contributor

deads2k commented Oct 24, 2019

I'm convinced by the playground test.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 24, 2019
@deads2k
Copy link
Contributor

deads2k commented Oct 24, 2019
edited
Loading

/lgtm
/approve
/ok-to-test
/refresh
/skip
/retest
/do-wtf-i-want-and-merge-it

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 24, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, jackkleeman

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 24, 2019
@jackkleeman
Copy link
Contributor Author

/retest

@jackkleeman jackkleeman mentioned this pull request Oct 24, 2019
Merged
@deads2k
Copy link
Contributor

deads2k commented Oct 24, 2019

/retest
/priority important-soon

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Oct 24, 2019
@k8s-ci-robot k8s-ci-robot merged commit 04632e8 into kubernetes:master Oct 24, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Oct 24, 2019
tedyu
tedyu reviewed Oct 25, 2019
View reviewed changes
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_serving_content.go
if err != nil {
return err
}
if len(cert) == 0 || len(key) == 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems the cert length check can be performed prior to reading keyFile.

@jackkleeman jackkleeman deleted the dynamic-serving-cert branch October 25, 2019 08:39
@jackkleeman jackkleeman mentioned this pull request Nov 12, 2019
Closed
6 tasks
@alenkacz alenkacz mentioned this pull request Feb 3, 2020
Closed
@geotransformer geotransformer mentioned this pull request Mar 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tedyu tedyu tedyu left review comments

@sttts sttts sttts left review comments

@deads2k deads2k deads2k left review comments

@logicalhan logicalhan Awaiting requested review from logicalhan

Assignees

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/kubelet area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.

Implement mechanism for certificates rotation in aggregated API servers
5 participants
@jackkleeman @k8s-ci-robot @deads2k @tedyu @sttts