Conversation
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
7 times, most recently
from
293c5d5 to
8954967
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
8954967 to
bf9376b
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
bf9376b to
2d2cb6d
Compare
|
Open questions:
|
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
2d2cb6d to
04db0a4
Compare
fspmarshall
left a comment
fspmarshall
left a comment
There was a problem hiding this comment.
Added some minor nits, but LGTM overall.
rosstimothy
left a comment
rosstimothy
left a comment
There was a problem hiding this comment.
Overall looks good. Can you add some test coverage for the things you added/fixed?
This still lets us do the CA filtering for the Node cache and the syncRotationStateCycle watcher without adding new data to CAs. As a bonus, the cache can now fetch only the required CAs on initialization.
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
2e089d2 to
bd70797
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
2 times, most recently
from
ead3b88 to
67d97a0
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
103898e to
051ed4c
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
051ed4c to
f148698
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
cadf294 to
dd40196
Compare
espadolini
force-pushed
the
espadolini/ca-watcher-filter
branch
from
dd40196 to
e8f2a9b
Compare
| if services.CertAuthoritiesEquivalent(existing, ca) { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
@espadolini @fspmarshall I'm a little worried that silently skipping updates like this might result into very subtle bugs where e.g. we forget to update CertAuthoritiesEquivalent method after introducing another CA field or something. What do you think about at least logging it here?
There was a problem hiding this comment.
CertAuthoritiesEquivalent is defined as cmp.Equal skipping the metadata ID field so we shouldn't miss anything. Adding a debug log line would be fine, anything more would get quite spammy however.
There was a problem hiding this comment.
Ah yes, I forgot it does cmp.Equal, should be fine then.
| continue | ||
| } | ||
| if ca.GetType() != types.HostCA && ca.GetClusterName() != conn.ClientIdentity.ClusterName { | ||
| if ca.GetType() != types.HostCA || ca.GetClusterName() != conn.ClientIdentity.ClusterName { |
There was a problem hiding this comment.
Yes, the original version had a bug and called syncRotationStateAndBroadcast unnecessarily often; syncRotationStateAndBroadcast only ever cares about the local host CA, so it should be called when just that one has potentially changed.
There was a problem hiding this comment.
Got it, thanks for the clarification.
Including similar changes to the v7 backport
CertAuthority watcher filtering (#10020) Including similar changes to the v7 backport
4 participants
This PR:
CertAuthorityresources by type (host/user/jwt) and name, and adds the appropriate CA filter to the cache forNoderoles (host CAs with a name that matches the cluster name, all user CAs) and for thesyncRotationStateCycleloop (only host CAs from the current cluster)Fixes #9895.
The version cutoff for applying the server-side filter was set to 9.0.0; any backport at v7 and earlier should remove the client side filters and rely on that, as clients are allowed to connect to auth servers with a higher major version that don't have the backport yet.