New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add user-agent header in requests to Venafi API #6865
Add user-agent header in requests to Venafi API #6865
Conversation
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp |
…uests This code existed in cert-manager once before and I'm reviving it. Here's the history: * Added: cert-manager#422 * Moved: cert-manager#432 * Obsoleted: cert-manager#797 * Deleted: cert-manager#966 Signed-off-by: Richard Wall <richard.wall@venafi.com>
/retest
|
Signed-off-by: Richard Wall <richard.wall@venafi.com>
Signed-off-by: Richard Wall <richard.wall@venafi.com>
09125e7
to
cca333d
Compare
Signed-off-by: Richard Wall <richard.wall@venafi.com>
…for Venafi Cloud Signed-off-by: Richard Wall <richard.wall@venafi.com>
…t-manager code Signed-off-by: Richard Wall <richard.wall@venafi.com>
b6a52d1
to
dd0762e
Compare
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp |
/retest
|
// REST API endpoints. | ||
// 3. The vcert package does not currently provide an easier way to change those | ||
// settings. See: | ||
// * https://github.com/Venafi/vcert/issues/437 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// 3. The vcert package does not currently provide an easier way to change those | ||
// settings. See: | ||
// * https://github.com/Venafi/vcert/issues/437 | ||
// * https://github.com/Venafi/vcert/issues/438 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp |
@@ -183,16 +190,44 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister internalinformers.Se | |||
Credentials: &endpoint.Authentication{ | |||
APIKey: apiKey, | |||
}, | |||
Client: httpClientForVcert(&httpClientForVcertOptions{ | |||
UserAgent: ptr.To(userAgent), | |||
}), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Previously we did not supply a custom http.Client
when connecting to Venafi Cloud,
instead relying on the default created by the vcert-sdk.
Here I've refactored and re-used the httpClientForVcert
function which had previously only existed for the purpose of configuring the TLS renegotation setting when connecting to TPP.
Now it also allows us to configure the User-Agent header.
func (u userAgentRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) { | ||
req.Header.Set("User-Agent", u.userAgent) | ||
return u.inner.RoundTrip(req) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This code existed in cert-manager once before and I'm reviving it.
Here's the history:
- Added: Add a meaningful User-Agent. #422
- Moved: Plumb a user-agent through pretty much everywhere #432
- Obsoleted: Refactor ACME client construction into dedicated ACME package #797
- Deleted: Remove dead code and add extra comments #966
The only alteration I made was to use req.Header.Set
rather than req.Header.Add
,
because there should only be a single User-Agent
header.
Other examples of this pattern:
- https://github.com/jetstack/venafi-connection-lib/pull/124
- https://github.com/opentofu/opentofu/blob/230fc89a28dfed5a4b0d6eed43dc8d9fc639d24b/internal/httpclient/useragent.go#L22-L34
The RoundTripper documentation says:
// RoundTrip should not modify the request, except for
// consuming and closing the Request's Body. RoundTrip may
// read fields of the request in a separate goroutine. Callers
// should not mutate or reuse the request until the Response's
// Body has been closed.
This implementation does mutate the request, but I don't think it will cause any problems.
And ultimately the vcert library may provide a way to set the User-Agent and their implementation will hopefully not use this RoundTripper pattern and instead add the header when they generate each request.
Or similar to how Go ACME package implemented it:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From my stand point this is a great enhancement to get in. The output you provided is far superior IMO than the current default user-agent set.
Can't comment on the code but it does look throughtly implemented. I've be happy to test an alpha release with his feature in.
// Why is it necessary to create our own HTTP client for vcert? | ||
// | ||
// 1. We need to customize the client TLS renegotiation setting when connecting | ||
// to certain TPP servers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// to certain TPP servers. | |
// to TPP servers that accept mTLS authentication. |
I think this was the reason some TPP servers require this option, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EDIT: I found that it is explained below, maybe we can add a reference [1]
or something similar, so it is clear that the explanation follows.
@@ -217,16 +252,19 @@ func configForIssuer(iss cmapi.GenericIssuer, secretsLister internalinformers.Se | |||
// because cert-manager establishes a new HTTPS connection for each API | |||
// request and therefore should only ever need to renegotiate once in this | |||
// scenario. | |||
// 5. But overriding the HTTP client causes vcert to ignore the | |||
// | |||
// Why do we supply CA bundle in the HTTP client **and** in the vcert.Config? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we still have to pass the cabundle through vcert.Config?
If we always use a custom http client, I think we don't have to pass the CAs through vcert.Config anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
EDIT: this comment explains why we pass it twice: https://github.com/cert-manager/cert-manager/pull/6865/files#diff-5f8cbfd3b75b6d8e0f899a92377a3aa5b5fa1867e18d19fcda51f8e8db2793b0L149-L156
Maybe we can refer to that comment here or add some extra info?
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hawksight, inteon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks both for your reviews. @inteon I'll update the comment when I next visit that code....perhaps if Venafi/vcert#443 merges when vcert is next released and I can remove the RoundTripper /unhold |
/kind feature |
TLDR
User-Agent
header to requests from cert-manager.User-Agent
string mirrors that used for the ACME issuer and includes cert-manager version details.User-Agent
header presence in TPP server logs.Details
As an administrator of a Venafi TPP server or of Venafi Cloud , I want to know which software is being used to connect to the REST API.
Right now the vcert SDK will use the default Go HTTP client User-Agent header: Go-http-client/1.1 and the requests from cert-manager will be indistinguishable with those from the
vcert
cli or any other vcert-sdk using software.For example, if the TPP API server is being overwhelmed by a rapid repeated requests, I would like to be able to look at the IIS server logs, find the User-Agent of the offending requests and learn that the requests may be being generated by cert-manager.
As a maintainer of the cert-manager Venafi Issuer, I want it to send User-Agent: cert-manager/vX.Y.Z so that the administrator of a Venafi TPP server or Venafi Cloud service, can know which software is being used to connect to the REST API. Why? Because if there is a bug in the cert-manager Venafi issuer, which causes it to not back off in the event of a failed API request, the Venafi server administrator can quickly know that cert-manager is the culprit and quickly report the bug so that it be quickly fixed.
In this PR I've used the same User-Agent that is being used for the ACME issuer since: #4773.
The User-Agent headers will be:
Fixes: #5803
Testing
Local testing
Run mitmproxy:
Run the cert-manager controller locally:
make e2e-setup kubectl scale -n cert-manager deployment cert-manager --replicas 0 HTTPS_PROXY=localhost:8080 go run ./cmd/controller --kubeconfig ~/.kube/config --cluster-resource-namespace cert-manager
E2E tests
/test pull-cert-manager-master-e2e-v1-28-issuers-venafi-tpp
inBefore:
(logs created by periodic tests using the existing cert-manager code)
After:
(logs created by cert-manager built from this branch)