Reload VaultConfig if CAFile, CertFile, KeyFile have changed #6677
Conversation
Xopherus
force-pushed
the
fix-vault-config-reload
branch
from
9208554
to
988c80c
Compare
Xopherus
force-pushed
the
fix-vault-config-reload
branch
from
988c80c
to
57b365d
Compare
There was a problem hiding this comment.
Thanks for submitting the PR. Overall this is good, though need to be careful about mutations and tls files being updated in-place.
We, the nomad team, probably should consider having the internal structs contain the raw file bytes rather than file paths; this would ease reasoning around handling file modifications and detecting changes/drifts.
|
|
||
| if a.Checksum == "" { | ||
| if err := a.SetChecksum(); err != nil { | ||
| return true, err |
There was a problem hiding this comment.
Feels like we should use false as the fail value. Besides being the zero value, if we were to accidentally ignore the returned error, we'd fail by refreshing vault config, which is a noop if files didn't actually change.
Noticed that the TLS config has that behavior in
nomad/nomad/structs/config/tls.go
Lines 253 to 260 in 8e4a5f1
| return true, err | |
| return false, err |
| } | ||
|
|
||
| // SetChecksum generates and sets the checksum for a Vault configuration. | ||
| func (a *VaultConfig) SetChecksum() error { |
There was a problem hiding this comment.
This probably should be called by Merge() to avoid using a stale pre-merge checksum accidentally.
| } | ||
| return true | ||
| return a.Checksum == b.Checksum, nil |
There was a problem hiding this comment.
Populating SetChecksum lazily causes missing the first update. Consider the case where the tls files are manipulated in place and SIGHUP sent to nomad. The checksums for both objects would reflect the latest and this function returns true unexpectedly.
We probably should call SetChecksum during config initialization.
|
@notnoop I appreciate the review. I did end up deploying a version of this to test in my stack and like you said, I found that this was incomplete. However I did leave a comment with some of my findings on #4593 (comment) and I think the scope is actually much larger than I initially expected. Certainly it's much larger of an effort that I can do by myself. That being said, I think this feature is sorely needed in order to run Nomad with Vault-backed TLS, and would be glad to help provide more information to the Nomad team to help make this happen. If that's cool with you, then I think we can close this PR. |
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
Fixes #4395, #6052