ca: all managers will update their security configs when cluster root CA updated#1984
Conversation
cyli
force-pushed
the
managers-update-root-ca
branch
from
36ee1c9 to
f66156e
Compare
Codecov Report
@@ Coverage Diff @@
## master #1984 +/- ##
==========================================
+ Coverage 53.61% 53.72% +0.11%
==========================================
Files 109 109
Lines 18919 18923 +4
==========================================
+ Hits 10144 10167 +23
+ Misses 7541 7520 -21
- Partials 1234 1236 +2Continue to review full report at Codecov.
|
cyli
changed the title
cyli
force-pushed
the
managers-update-root-ca
branch
from
f66156e to
5e0ea96
Compare
cyli
changed the title
| <-done | ||
| } | ||
|
|
||
| // If the root CA materia is updated in the memory store, a manager will update its own |
There was a problem hiding this comment.
material
(I don't get any pleasure out of pointing out typos, but if I don't do it, someone else will open a PR, and I prefer to preempt those.)
There was a problem hiding this comment.
I appreciate it! I tend to misspell a bunch of stuff. I wonder if we should add github.com/client9/misspell/cmd/misspell to the linter?
There was a problem hiding this comment.
I don't know what the false positive rate is, but I guess it can't hurt to try.
There was a problem hiding this comment.
Looks like it wouldn't have caught this one anyway, I guess because materia is a real word, although latin).
|
|
||
| // skipAutoUpdateRootCA, if set to true, causes the CA server to skip automatically updating | ||
| // the signing credentials based on changes in the memory store | ||
| skipAutoUpdateRootCA bool |
There was a problem hiding this comment.
The auto-update functionality seems like it's only used for test cases. I'm curious how difficult/ugly it would be to completely remove this.
There was a problem hiding this comment.
We can add a cluster watch functionality to the test CA server. I put this in mainly because it seemed nice for the CA server to a be completely self-sufficient server, if necessary, if someone wanted to run one independently of the manager (which I agree, we are only only for tests, but the CA server would not be as usable otherwise).
There was a problem hiding this comment.
I'll trust your judgement on this. I didn't like having an option that's never enabled by the actual program, but it's basically enabling or disabling a function call, and the alternative is having the test harness do significantly more.
There was a problem hiding this comment.
Another option I was considering was to have a separate startable goroutine on the server that would watch the memory store and auto-update the RootCA. Then whomever is responsible for starting it would have to cancel it as well. Would this be more preferable? But again, this would only be used for the tests.
There was a problem hiding this comment.
I still think it's better to move the s.UpdateRootCA call out of the CA server code, but I won't block the PR on this.
There was a problem hiding this comment.
Ok, I don't feel super strongly about my position - it's more of a preference, so happy to address this.
|
Another option I was considering was to have a separate startable goroutine on the server that would watch the memory store and auto-update the RootCA. Then whomever is responsible for starting it would have to cancel it as well. Would this be more preferable? But again, this would only be used for the tests.
Not to me.
|
cyli
force-pushed
the
managers-update-root-ca
branch
2 times, most recently
from
143ceac to
747ed31
Compare
…heir SecurityConfig's RootCA upon a change in the cluster's RootCA configuration. Signed-off-by: cyli <ying.li@docker.com>
cyli
force-pushed
the
managers-update-root-ca
branch
from
747ed31 to
7d8f54f
Compare
| if err := ca.UpdateSecurityConfigFromCluster(ctx, m.config.SecurityConfig, cluster); err != nil { | ||
| log.G(ctx).WithError(err).Error("updating Root CA failed") | ||
| } | ||
| m.caserver.UpdateJoinTokens(ctx, cluster) |
There was a problem hiding this comment.
It seems weird for a function called updateRootCA to be updating join tokens.
There was a problem hiding this comment.
Would a rename to something more appropriate be ok, or would you suggest having 2 watches on the cluster, one to update the root CA and one to update the join tokens? My preference is for the first, to make sure that both are updated in sync.
|
|
||
| // UpdateSecurityConfigFromCluster takes an api.Cluster object and updates the security config based on the changes | ||
| // in the RootCA and ExternalURLs from that cluster object. | ||
| func UpdateSecurityConfigFromCluster(ctx context.Context, s *SecurityConfig, cluster *api.Cluster) error { |
There was a problem hiding this comment.
Maybe just UpdateSecurityConfig?
Would it make sense to make it a method on (*SecurityConfig)? and call it Update?
…entirely Signed-off-by: cyli <ying.li@docker.com>
cyli
force-pushed
the
managers-update-root-ca
branch
from
7d8f54f to
4d0ba73
Compare
|
LGTM |
|
ping @diogomonica |
4 participants
Rather than just the leader that is running the CA server. This way on root rotation, all managers will get root changes right away.
#1983 will actually update the TLS creds with the new root pool when the RootCA is updated