Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ocsp-updater: Split work by a configurable serial suffix shard #5628

Merged
merged 12 commits into from Sep 2, 2021
Merged

ocsp-updater: Split work by a configurable serial suffix shard #5628

merged 12 commits into from Sep 2, 2021

Conversation

jcjones
Copy link
Contributor

@jcjones jcjones commented Sep 2, 2021
edited by beautifulentropy

  • Enableocsp-updater to query for serials matching a configurable suffix to
    allow for multiple ocsp-updater instances at once
  • Add field SerialSuffixShards to OCSPUpdaterConfig
  • Add field serialSuffixShards to test/config-next/ocsp-updater.json
  • Add codepath to default to the previous query when serialSuffixShards is
    missing from the JSON config

Part of #5629
Fixes #5625

@jcjones jcjones marked this pull request as ready for review September 2, 2021 18:39
@jcjones jcjones requested a review from a team as a code owner September 2, 2021 18:39
beautifulentropy
beautifulentropy requested changes Sep 2, 2021
View reviewed changes
cmd/ocsp-updater/main.go Outdated Show resolved Hide resolved
cmd/ocsp-updater/main.go Outdated Show resolved Hide resolved
cmd/ocsp-updater/main.go Outdated Show resolved Hide resolved
beautifulentropy
beautifulentropy requested changes Sep 2, 2021
View reviewed changes
Copy link
Member

@beautifulentropy beautifulentropy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One small nit.

cmd/ocsp-updater/main.go Outdated Show resolved Hide resolved
@beautifulentropy beautifulentropy changed the title Allow OCSP Updater to shard out its work ocsp-updater: Split work by a configurable serial suffix shard Sep 2, 2021
@jcjones @beautifulentropy
Update cmd/ocsp-updater/main.go
09503a5 
Co-authored-by: Samantha <hello@entropy.cat>
@beautifulentropy
Copy link
Member

beautifulentropy commented Sep 2, 2021
edited

A natural evolution for this would be a worker (goroutine) for each configured shards so that we don't have to check for full serial coverage (e.g. do each of these shards make a whole) at the configuration management layer (SaltStack). One drawback of this current implementation is that ocsp_staleness_ages metrics are derived from the tool itself so if the combined instances of the ocsp-updater are missing a narrow shard serials we wouldn't be alerted unless we noticed an overall drop in total updates or alerts on ocsp_response_ages emitted by oscp-responder. Given the critical nature of this change though, I'm fine with shipping it in it's current form.

@beautifulentropy beautifulentropy merged commit 0f16ff6 into letsencrypt:main Sep 2, 2021
beautifulentropy pushed a commit that referenced this pull request Sep 2, 2021
@jcjones @beautifulentropy
ocsp-updater: Split work by a configurable serial suffix shard (#5628)
2b8a8eb 
- Enable`ocsp-updater` to query for serials matching a configurable suffix to
  allow for multiple `ocsp-updater` instances at once
- Add field `SerialSuffixShards` to `OCSPUpdaterConfig`
- Add field `serialSuffixShards` to `test/config-next/ocsp-updater.json`
- Add codepath to default to the previous query when `serialSuffixShards` is
  missing from the JSON config

Part of #5629
Fixes #5625
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andygabby andygabby andygabby approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@aarongable aarongable Awaiting requested review from aarongable

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow work-splitting for ocsp-updater
3 participants
@jcjones @beautifulentropy @andygabby