controller refresh certificate #3489
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ashutosji The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cmd/controller/main.go
Outdated
| newHTTPServer := &http.Server{ | ||
| Addr: ":8081", | ||
| Handler: httpsServer.Mux, | ||
| } | ||
| newHTTPServer.TLSConfig = &tls.Config{ | ||
| Certificates: []tls.Certificate{*newCert}, | ||
| } | ||
|
|
||
| // Update the TLS configuration | ||
| go func() { | ||
| if err := newHTTPServer.ListenAndServeTLS("", ""); err != nil { | ||
| logger.WithError(err).Error("Failed to update TLS configuration") | ||
| } | ||
| }() |
There was a problem hiding this comment.
Hi @markmandel and @zmerlynn,
The moto is to update reloaded certificates in the existing server. But, however i did not find a way to update httpsServer.TLSConfig. I thought of creating a new server and updating the reloaded certificates. But it doesn't seems correct to me and technically it is wrong. Since, we are using custom server by utilizing this package https://github.com/googleforgames/agones/blob/main/pkg/util/https/server.go. Can i get right approach or suggestions on this?
There was a problem hiding this comment.
I found a great StackOverflow post on this, with links to several examples:
https://stackoverflow.com/questions/37473201/is-there-a-way-to-update-the-tls-certificates-in-a-net-http-server-without-any-d
TL;DR - https://pkg.go.dev/crypto/tls#Config exposes a GetCertificate(...) function that will be called when a certificate is required - returning whatever is the current certificate from that is the appropriate way to go.
There was a problem hiding this comment.
Sure, Thanks I will check this.
There was a problem hiding this comment.
This is the package we should update:
https://github.com/googleforgames/agones/blob/1708fe9a6efdad4061c7a53ec8835dc92d4f4fbe/pkg/util/https/server.go
|
Build Succeeded 👏 Build Id: c1338ef2-b911-4a77-bd13-881ef76c8b7c The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
ashutosji
force-pushed
the
controller-refresh-certificate
branch
from
e32bb21 to
e58b9d5
Compare
|
Build Failed 😱 Build Id: bcc4805e-be14-4fca-9b71-cf3571d3c7cd To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
ashutosji
force-pushed
the
controller-refresh-certificate
branch
from
e58b9d5 to
97c811a
Compare
|
Build Failed 😱 Build Id: 49dcef0d-03d2-48b6-b43e-00ff8f4d8e26 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
|
Build Failed 😱 Build Id: da863859-46c1-4a80-b6d7-705a5c911137 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
ashutosji
force-pushed
the
controller-refresh-certificate
branch
from
3b9f1c7 to
d7f1a17
Compare
|
Build Succeeded 👏 Build Id: c254a1f5-317a-4e92-b651-9b05ff5501a5 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
There was a problem hiding this comment.
I still think we should implement it like the pattern mentioned in https://stackoverflow.com/questions/37473201/is-there-a-way-to-update-the-tls-certificates-in-a-net-http-server-without-any-d. I.e. have a structure to keep the certs, which get refreshed bya goroutine to watch for certificate changes (i.e. watch on the tlsDir). Then the tls.TLSConfig.GetCertificate can be set to a func that simply return whatever is in the structure rather than load the cert again.
The major concern I have for the current implementation is that I'm not quite sure when the GetCertificate is called and whether it could miss some corner case, which would not be an issue in the option that using goroutine to watch for certificate changes.
ashutosji
force-pushed
the
controller-refresh-certificate
branch
from
d7f1a17 to
6c38905
Compare
|
Build Failed 😱 Build Id: 2854c057-8936-4ce7-a81f-a341b6cc4c9a To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
You are right! Rather than loading the file every time, I can store the current certificate in the structure and have GetCertificate function which will simple return the certificate. But however, There are two issue that I am facing:
|
|
Build Failed 😱 Build Id: 5faf7f2e-7cff-4292-867c-c52f5872a702 To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
There was a problem hiding this comment.
I think line 123 should be changed to err := s.tls.ListenAndServeTLS("", ""), similar as https://github.com/googleforgames/agones/blob/main/cmd/allocator/main.go#L351
pkg/util/https/server.go
Outdated
| } | ||
|
|
||
| // Start a goroutine to watch for certificate changes | ||
| go s.watchForCertificateChanges() |
There was a problem hiding this comment.
This doesn't need to be a gorountine, just s.watchForCertificateChanges() should be fine
There was a problem hiding this comment.
Sure, I made WatchForCertificateChanges() function public so that it should be accessible from extensions/controller.
pkg/util/https/server.go
Outdated
| s.logger.WithError(err).Fatal("could not create watcher for TLS certs") | ||
| } | ||
|
|
||
| defer cancelTLS() |
There was a problem hiding this comment.
This will close the watcher after this func returns. I think you need to return this cancelTLS() function to the caller (actually up to the main.go of controller/extension) and defer it there, so the watcher can keep watching the events.
There was a problem hiding this comment.
Thanks you so much.
Yes, watcher was getting close after func return. I have modified the WatchForCertificateChanges() function and called it in extensions. It's working!
ashutosji
force-pushed
the
controller-refresh-certificate
branch
from
fbca193 to
fcde21b
Compare
|
Build Failed 😱 Build Id: 88eaf97a-dd31-4f07-931f-f5a2aec7152b To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
ashutosji
force-pushed
the
controller-refresh-certificate
branch
from
fcde21b to
fd4eb4f
Compare
|
Build Failed 😱 Build Id: dc3b4cc3-16dc-435d-9b26-c5381238287d To get permission to view the Cloud Build view, join the agones-discuss Google Group. |
|
Build Succeeded 👏 Build Id: d1f89fab-f8ea-420e-bd2b-1df02c6216b7 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
pkg/util/https/server.go
Outdated
| Certs *cryptotls.Certificate | ||
| CertMu sync.Mutex |
There was a problem hiding this comment.
nit: these fields doesn't have to exported (beginning with upper case) since they are only used in this package, right? Better to change them to unexported for stricter restriction. Similar for the CertServer in Server.
There was a problem hiding this comment.
Yeah! Thanks for pointing. It should be unexported type.
|
Build Succeeded 👏 Build Id: fb9ea940-891d-40e3-ba6d-879c77605b66 The following development artifacts have been built, and will exist for the next 30 days:
A preview of the website (the last 30 builds are retained): To install this version:
|
What type of PR is this?
What this PR does / Why we need it:
Which issue(s) this PR fixes:#3133
Closes #3133
Special notes for your reviewer: