Dynamically reload kube-aggregator certificates

[alenkacz]

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespace from that line:

/kind api-change
/kind bug
/kind cleanup
/kind deprecation
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

What this PR does / why we need it:
Dynamically load certificates for kube-aggregator

Which issue(s) this PR fixes:

Fixes #87766

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Kube-aggregator certificates are dynamically loaded on change from disk

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[alenkacz]

this probably deserves some tests :) I'll add those after initial review validating the direction of this PR

[deads2k]

/assign @p0lyn0mial

[alenkacz]

😂 I'll check out the failures, I have run only unit tests locally :)

[p0lyn0mial]

What happens to the old cert? It is still valid, right?

[p0lyn0mial]

it has to be dynamic, serverName, caBundle are not constant, what if they have changed?

[alenkacz]

based on my understanding, these are provided when kube-aggregator starts so they cannot change without the process being restarted. But I might have missed something...

[p0lyn0mial]

check when AddAPIService function is called - https://github.com/kubernetes/kubernetes/pull/88120/files#r379316414

[p0lyn0mial]

it will create a new config every second even though nothing has changed, are they any drawback?

[alenkacz]

yeah I should probably add checking whether the value changed, good point. I'll change that

[p0lyn0mial]

this is a hot path, now it depends on an external component, for example, it can return an error.

[alenkacz]

any suggestions how to resolve this?

[p0lyn0mial]

Thinking if we really need a controller, what would be an alternative design?

[alenkacz]

yeah I am open to other ideas, I pretty much kept this in line with how are similar problems solved in apiserver (so the dynamiccertificates package)

[p0lyn0mial]

How about:

1. Adding a function to APIAggregator that would return a cert and a key
2. Adding a new method to APIAggregator that would call updateAPIService for all proxyHandlers and would use a func from 1.
3. Wire Notify method to call the new function from 2

Alternatively:

1. Adding a new method to APIAggregator that would call updateAPIService for all proxyHandlers and would accept a cert and a key
2. Wire Notify method to call the new function from 1 and providing a cert and a key

Doing this that way we don't modify the hot path and we take potential changes in services into account. It should work if the old cert is still valid. What do you think?

@sttts FYI

[alenkacz]

@p0lyn0mial that solves it for proxy_handlers, and then available_controller will have to implement the exact same thing (that's why I went the way of extracting that logic outside, so both places can reuse it).

If we go and extract it then the only difference between your proposal and current implementation is whether it uses the workqueue or not. I like reusing workqueue since it's already proven piece of code that solves the async update for me.

No hard opinion here though, just putting out here why I went the way I went. I am totally fine shifting the direction :-)

[p0lyn0mial]

It seems that available_controller only needs a restConfig - slightly different one than proxy_handlers. I think that before it didn't use MTLS, now it does. I don't know why it was like that before but it should work with MTLS as well, right?

[p0lyn0mial]

alright, let's try with the controller, left some comments.

[alenkacz]

it does not use mtls as I pass insecure=true here https://github.com/kubernetes/kubernetes/pull/88120/files#diff-d92af716cdd9489e3f57d61b53adad72R216 ... should I make that more obvious somehow?

[alenkacz]

I think I got the confusion around "controller" now, the Run method I think is definitely something we don't need, it was even unused. I removed it, so now it really just asynchronously processes notifications.

[p0lyn0mial]

creating an http client on every sync doesn't seem right, we should reuse it if restConfig hasn't changed.

[p0lyn0mial]

It seems that available_controller only needs a restConfig - slightly different one than proxy_handlers. I think that before it didn't use MTLS, now it does. I don't know why it was like that before but it should work with MTLS as well, right?

[p0lyn0mial]

do we have to call it every minute if it already supports dynamiccertificates.Notifier ?

[alenkacz]

no :) I actually think we might not need the whole Run method 🤔 removing it...

[p0lyn0mial]

what if the underlying dynamic file read doesn't support "notification" ?:) I think we need to cover both paths.

[p0lyn0mial]

we need to stop it when RemoveAPIService was called.

[alenkacz]

oh good point... but right now when I removed the Run method it's actually just implementing Notifier, so there's nothing to stop anymore, correct?

The only think that's "running" right now is the dynamic file reader and that is reused across all restconfig providers so that should stop with the whole process going away

[p0lyn0mial]

hmm okay, but we still use up the memory we should clean up, wdyt?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alenkacz
To complete the pull request process, please assign deads2k
You can assign the PR to them by writing /assign @deads2k in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• cmd/kube-apiserver/OWNERS
• staging/src/k8s.io/kube-aggregator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fedebongio]

/assign @deads2k

[alenkacz]

/retest

[alenkacz]

/retest

[deads2k]

if there isn't a client cert/key pair, then the front proxy fails and we should return an error, right?

[deads2k]

I wouldn't expect certKeyContentProvider to be allowed to be nil.

[deads2k]

previously, we re-used the same transport for all requests instead of building a fresh one. Does this carry performance penalties in terms of object creation and GC?

@liggitt

[liggitt]

Yes, building this per request is expensive, especially when we set options (see comment on GetCert usage) that means every time updateAPIService is called we are guaranteed to no longer use the previously cached TLS config.

[deads2k]

my understanding is that we would do this for every negotiation, but we want is only to reload this if there was a change, right?

I'd be supportive of a change that adds a GetCert compatible function to the certKeyContentProvider to allow directly wiring the option here. This way we can write it to be aware of when it has changed.

[deads2k]

Why would we do this if the previous call returned an error?

[deads2k]

I don't understand why we use this value if the previous was nil

[liggitt]

should we make sure the files are readable at startup? a missing file error is easier to diagnose than weird anonymous request errors because the certs couldn't load in the background

[liggitt]

every time we create a GetCert function, we create a unique config that busts the cache of reusable client configs (the cache key for this is computed based on the function pointer address, see https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/client-go/transport/cache.go#L134)

in contrast, the previous version set static options that reused the cached tls config (and the existing kept-alive backend connections)

The TLS config cache has no size limit, which means this is effectively introducing a slow memory leak if APIService conditions flutter.

[alenkacz]

Hmm does the pointer address change though? 🤔This is implemented with the idea/impression that it does not change, am I wrong?

To test this, I wrote a following test:

• created a setup similar to the TestProxyCertReload
• checked the address in cache keey after calling updateAPIService
• wrote new certs to disk
• called updateAPIService again
• checked the address in cache

The address was the same.

[p0lyn0mial]

@liggitt I've opened adcd6e1 that demonstrates the key returned from the cache is the same as long as the address of GetCert function doesn't change

[p0lyn0mial]

@liggitt we could extend certKeyContentProvider to provide GetCert function so that the address stays the same and change the cache to take into account the content, not the address.

[p0lyn0mial]

I've opened 8520587 to demonstrate that. It still creates a new transport for each request. Most of the time the transport will be retrieved from the cache but even that incurs a small performance cost of acquiring a lock.

We could move the code back to updateAPIService method and reload the handler on the certificate change. In that case, this approach seems to be more complicated than #92791.

[liggitt]

@liggitt I've opened adcd6e1 that demonstrates the key returned from the cache is the same as long as the address of GetCert function doesn't change

hmm... if a function with the same pointer address can return different data to different callers, that means some of the existing ways we build the client config cache could have problems.

@liggitt we could extend certKeyContentProvider to provide GetCert function so that the address stays the same and change the cache to take into account the content, not the address.

Wouldn't that compute the cache key based on the initial cert content, which would conflate client configurations that should be kept distinct? For example, config A and config B could point to different file paths /a.ca and /b.ca which happen to contain the same content at startup... if those are being reloaded dynamically, we wouldn't want to make those share a client, since at a later point in time, those files' content could diverge.

[p0lyn0mial]

hmm... if a function with the same pointer address can return different data to different callers, that means some of the existing ways we build the client config cache could have problems.

comparing the address of a function doesn't seem right since golang forbids comparing the addresses of functions in general.

would you accept a patch that changes this behavior? Ideally, if we could serialize getCert and compare the bytes.

[liggitt]

comparing the address of a function doesn't seem right since golang forbids comparing the addresses of functions in general.

yeah, I'm not thrilled with the approach... the places we do that currently are for non-serializable injected implementations.

would you accept a patch that changes this behavior? Ideally, if we could serialize getCert and compare the bytes.

we'd need a way to determine the identity / compare instances of the dynamic methods (GetCert, Dial, and Proxy)

[liggitt]

Yes, building this per request is expensive, especially when we set options (see comment on GetCert usage) that means every time updateAPIService is called we are guaranteed to no longer use the previously cached TLS config.

[p0lyn0mial]

/close

I'm closing this PR in favor of #92791. Although the solution presented in this PR looked appealing we missed a few important details. Many thanks, @alenkacz for your outstanding work and uncovering a long-lasting issue in the TLS cache!

[k8s-ci-robot]

@alenkacz: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

@p0lyn0mial: Closed this PR.

In response to this:

/close

I'm closing this PR in favor of #92791. Although the solution presented in this PR looked appealing we missed a few important details. Many thanks, @alenkacz for your outstanding work and uncovering a long-lasting issue in the TLS cache!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.