Add user-agent header in requests to Venafi API #6865
Conversation
jetstack-bot
added
release-note
|
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp |
…uests This code existed in cert-manager once before and I'm reviving it. Here's the history: * Added: cert-manager#422 * Moved: cert-manager#432 * Obsoleted: cert-manager#797 * Deleted: cert-manager#966 Signed-off-by: Richard Wall <richard.wall@venafi.com>
|
/retest
|
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
wallrj
force-pushed
the
5803-cert-manager-user-agent-venafi-issuer
branch
from
09125e7
to
cca333d
Compare
Signed-off-by: Richard Wall <richard.wall@venafi.com>
…for Venafi Cloud Signed-off-by: Richard Wall <richard.wall@venafi.com>
…t-manager code Signed-off-by: Richard Wall <richard.wall@venafi.com>
wallrj
force-pushed
the
5803-cert-manager-user-agent-venafi-issuer
branch
from
b6a52d1
to
dd0762e
Compare
|
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp |
|
/retest |
| // REST API endpoints. | ||
| // 3. The vcert package does not currently provide an easier way to change those | ||
| // settings. See: | ||
| // * https://github.com/Venafi/vcert/issues/437 |
There was a problem hiding this comment.
| // 3. The vcert package does not currently provide an easier way to change those | ||
| // settings. See: | ||
| // * https://github.com/Venafi/vcert/issues/437 | ||
| // * https://github.com/Venafi/vcert/issues/438 |
There was a problem hiding this comment.
|
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp |
| @@ -183,16 +190,44 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister internalinformers.Se | |||
| Credentials: &endpoint.Authentication{ | |||
| APIKey: apiKey, | |||
| }, | |||
| Client: httpClientForVcert(&httpClientForVcertOptions{ | |||
| UserAgent: ptr.To(userAgent), | |||
| }), | |||
There was a problem hiding this comment.
Previously we did not supply a custom http.Client when connecting to Venafi Cloud,
instead relying on the default created by the vcert-sdk.
Here I've refactored and re-used the httpClientForVcert function which had previously only existed for the purpose of configuring the TLS renegotation setting when connecting to TPP.
Now it also allows us to configure the User-Agent header.
| func (u userAgentRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { | ||
| req.Header.Set("User-Agent", u.userAgent) | ||
| return u.inner.RoundTrip(req) | ||
| } |
There was a problem hiding this comment.
This code existed in cert-manager once before and I'm reviving it.
Here's the history:
- Added: Add a meaningful User-Agent. #422
- Moved: Plumb a user-agent through pretty much everywhere #432
- Obsoleted: Refactor ACME client construction into dedicated ACME package #797
- Deleted: Remove dead code and add extra comments #966
The only alteration I made was to use req.Header.Set rather than req.Header.Add,
because there should only be a single User-Agent header.
Other examples of this pattern:
- https://github.com/jetstack/venafi-connection-lib/pull/124
- https://github.com/opentofu/opentofu/blob/230fc89a28dfed5a4b0d6eed43dc8d9fc639d24b/internal/httpclient/useragent.go#L22-L34
The RoundTripper documentation says:
// RoundTrip should not modify the request, except for
// consuming and closing the Request's Body. RoundTrip may
// read fields of the request in a separate goroutine. Callers
// should not mutate or reuse the request until the Response's
// Body has been closed.
This implementation does mutate the request, but I don't think it will cause any problems.
And ultimately the vcert library may provide a way to set the User-Agent and their implementation will hopefully not use this RoundTripper pattern and instead add the header when they generate each request.
Or similar to how Go ACME package implemented it:
wallrj
changed the title
jetstack-bot
removed
the
do-not-merge/work-in-progress
wallrj
changed the title
There was a problem hiding this comment.
From my stand point this is a great enhancement to get in. The output you provided is far superior IMO than the current default user-agent set.
Can't comment on the code but it does look throughtly implemented. I've be happy to test an alpha release with his feature in.
| // Why is it necessary to create our own HTTP client for vcert? | ||
| // | ||
| // 1. We need to customize the client TLS renegotiation setting when connecting | ||
| // to certain TPP servers. |
There was a problem hiding this comment.
| // to certain TPP servers. | |
| // to TPP servers that accept mTLS authentication. |
I think this was the reason some TPP servers require this option, right?
There was a problem hiding this comment.
EDIT: I found that it is explained below, maybe we can add a reference [1] or something similar, so it is clear that the explanation follows.
| @@ -217,16 +252,19 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister internalinformers.Se | |||
| // because cert-manager establishes a new HTTPS connection for each API | |||
| // request and therefore should only ever need to renegotiate once in this | |||
| // scenario. | |||
| // 5. But overriding the HTTP client causes vcert to ignore the | |||
| // | |||
| // Why do we supply CA bundle in the HTTP client **and** in the vcert.Config? | |||
There was a problem hiding this comment.
Do we still have to pass the cabundle through vcert.Config?
If we always use a custom http client, I think we don't have to pass the CAs through vcert.Config anymore.
There was a problem hiding this comment.
EDIT: this comment explains why we pass it twice: https://github.com/cert-manager/cert-manager/pull/6865/files#diff-5f8cbfd3b75b6d8e0f899a92377a3aa5b5fa1867e18d19fcda51f8e8db2793b0L149-L156
Maybe we can refer to that comment here or add some extra info?
|
/approve |
jetstack-bot
added
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hawksight, inteon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
|
Thanks both for your reviews. @inteon I'll update the comment when I next visit that code....perhaps if Venafi/vcert#443 merges when vcert is next released and I can remove the RoundTripper /unhold |
jetstack-bot
removed
the
do-not-merge/hold
|
/kind feature |
jetstack-bot
added
kind/feature
TLDR
User-Agentheader to requests from cert-manager.User-Agentstring mirrors that used for the ACME issuer and includes cert-manager version details.User-Agentheader presence in TPP server logs.Details
As an administrator of a Venafi TPP server or of Venafi Cloud , I want to know which software is being used to connect to the REST API.
Right now the vcert SDK will use the default Go HTTP client User-Agent header: Go-http-client/1.1 and the requests from cert-manager will be indistinguishable with those from the
vcertcli or any other vcert-sdk using software.For example, if the TPP API server is being overwhelmed by a rapid repeated requests, I would like to be able to look at the IIS server logs, find the User-Agent of the offending requests and learn that the requests may be being generated by cert-manager.
As a maintainer of the cert-manager Venafi Issuer, I want it to send User-Agent: cert-manager/vX.Y.Z so that the administrator of a Venafi TPP server or Venafi Cloud service, can know which software is being used to connect to the REST API. Why? Because if there is a bug in the cert-manager Venafi issuer, which causes it to not back off in the event of a failed API request, the Venafi server administrator can quickly know that cert-manager is the culprit and quickly report the bug so that it be quickly fixed.
In this PR I've used the same User-Agent that is being used for the ACME issuer since: #4773.
The User-Agent headers will be:
Fixes: #5803
Testing
Local testing
Run mitmproxy:
Run the cert-manager controller locally:
make e2e-setup kubectl scale -n cert-manager deployment cert-manager --replicas 0 HTTPS_PROXY=localhost:8080 go run ./cmd/controller --kubeconfig ~/.kube/config --cluster-resource-namespace cert-managerE2E tests
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tppinBefore:
(logs created by periodic tests using the existing cert-manager code)
After:
(logs created by cert-manager built from this branch)