-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: client-go/transport: support reloading CA file #122749
Conversation
Signed-off-by: Monis Khan <mok@microsoft.com>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: enj The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Monis Khan <mok@microsoft.com>
newRT := baseRT.Clone() | ||
newRT.TLSClientConfig.RootCAs = rootCAs | ||
|
||
transport.rt.Store(newRT) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does this behave with existing connections?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Connection tracking happens at the round tripper so once the old rt
is unused those connections would be unused (presumably with some cleanup at the OS level once the Go GC cleans up).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think calling CloseIdleConnections
on the old transport would be appropriate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should reuse dynamicCertDialer := certRotatingDialer(tlsConfig.GetClientCertificate, dial)
to close all connections ? (just in case the old rootCAs
becomes invalid)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you would need a more targeted approach to only close connections associated with the old transport (which is hard to do since the dialer is shared).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but at the time of the reload because you have a new rootCA you'll only have connections that need to be disrupted because you only have the old transport, it kind of looks based on your explanations that certRotatingDialer
watching the rootca as you are doing here seems the best approach
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
at the time of the reload because you have a new rootCA you'll only have connections that need to be disrupted
@aojea this is not true because the server will not close existing connections nor will the client need to verify the old connections with the new root (and servers are supposed to do graceful rotation of their roots anyway but even without that the old connections will work fine).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, I see you want to do seamless rotation, I was assuming that you could do the same we do in kubelet, cleanup all the connections and restart with the new certificate all the connections ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need the hard cut over with client certs because of how the API server handles authentication. We don't need it for root CA changes, so it seems better to gracefully rotate.
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
caFile := config.TLS.CAFile | ||
caData := config.TLS.CAData | ||
baseRT := transport.rt.Load().Clone() | ||
go wait.UntilWithContext(wait.ContextForChannel(DialerStopCh), func(_ context.Context) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be controller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, mostly meant as a POC.
@@ -127,14 +148,47 @@ func (c *tlsTransportCache) get(config *Config) (http.RoundTripper, error) { | |||
proxy = config.Proxy | |||
} | |||
|
|||
transport := utilnet.SetTransportDefaults(&http.Transport{ | |||
transport := buildReloadableTransport(utilnet.SetTransportDefaults(&http.Transport{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it can actually work!
@enj @p0lyn0mial I was yesterday trying to reproduce this behavior locally and I have several knowledge gaps to understand how this works? When the servers reloads the root CA?
|
I assume you are referring to the CA used to validate the incoming connections (from clients in that case). In that case I think that the server won't terminate already established connections. The server wires a controller into @stlaz pointed me yesterday to the commit that explains
|
No, the new TLS config is only used for new TLS connections.
No, because they are using the old TLS config. And also, root CA rotation is expected to use approaches like cross signing to avoid disrupting clients.
Client certs (can) have a different set of trust roots than server CA, so these operations are not linked. We do not close connections when changing the client cert roots on the server, hence stuff like #120621 can happen because authentication happens per request, not per connection (related to the comment above from @stlaz and @p0lyn0mial). |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
/kind bug
/triage accepted
/cc p0lyn0mial aojea stlaz
Fixes #119483