New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UPSTREAM: 88120: add dynamic certificate reloading for kube aggregator #24607
UPSTREAM: 88120: add dynamic certificate reloading for kube aggregator #24607
Conversation
/hold Do not review it. |
/retest |
0b01456
to
cb0b340
Compare
alright, CI feedback was positive. What's the best way to test it? Create a cluster and leave it for 24h? |
if err != nil { | ||
panic(err) | ||
} | ||
discoveryClient := &http.Client{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that I have an idea (check the upstream PR) how to change that code so that we don't have to create a new http client on every sync
(every 30s).
/retest |
/lgtm @deads2k PTAL |
Alright, so I managed to test it more or less. Because I failed to create a cluster on GCP I modified the operator to rotate the certificates more quickly and created a cluster on AWS. I haven't found any suspicious entries in the logs at the time of certificate reloading except:
which seems to be related to #24607 (comment) as the certificate will be reloaded after 30 seconds in the worst case. Additionally, @sttts suggested to manually update the secret ( |
/hold cancel |
/retest |
…CertKeyPairContent controller
2c04f41
to
d290116
Compare
if err := aggregatorProxyCerts.RunOnce(); err != nil { | ||
return nil, err | ||
} | ||
aggregatorProxyCerts.AddListener(apiserviceRegistrationController) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
order is correct? Would expect AddListener before the RunOnce()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it does the initial loading? Then it's fine I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that is correct, we use CurrentCertKeyContent
function for loading the certificate.
/lgtm |
/cherrypick release-4.4 |
@p0lyn0mial: once the present PR merges, I will cherry-pick it on top of release-4.4 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mfojtik, p0lyn0mial, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
8 similar comments
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
/retest Please review the full test history for this PR and help us cut down flakes. |
@p0lyn0mial: new pull request created: #24621 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
not clean, needs review.
based on openshift/kubernetes@adfea73#diff-40fbc204fb430ee43a18f381a4e2182e