Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add token file watcher #979

Open
wants to merge 70 commits into
base: v3
Choose a base branch
from
Open

Add token file watcher #979

wants to merge 70 commits into from

Conversation

sean-breen
Copy link
Contributor

Proposed changes

  • Add a new watcher service CredentialWatcherService which will initially monitor the file pointed to by tokenpath option in agent conf.
  • When a write is detected to any of the files being watched, this will trigger a restart of the gRPC connection to the control plane. It also resets the FIle and Command Service clients to use this new connection.
  • During the reset, the Agent may become unavailable for a moment while the gRPC connection is being re-initiated.
  • Once the health message is received, the dataplane status should return to being available.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING document
  • I have run make install-tools and have attached any dependency changes to this pull request
  • If applicable, I have added tests that prove my fix is effective or that my feature works
  • If applicable, I have checked that any relevant tests pass after adding my changes
  • If applicable, I have updated any relevant documentation (README.md)
  • If applicable, I have tested my cross-platform changes on Ubuntu 22, Redhat 8, SUSE 15 and FreeBSD 13

sean-breen and others added 30 commits January 6, 2025 15:22
@sean-breen
support reading token from file via config
1a17cd5
@sean-breen
remove empty file
c4b962d
@sean-breen
simplify token validation and add unit tests
d68fe7e
@sean-breen
add unit tests for transport credentials funtions
1b2b029
@sean-breen
address PR feedback
a43cb53
@sean-breen
proto updates
2ecf102
@sean-breen
fix function name
6872207
@sean-breen
fix lint error: lll
2c30d2c
@sean-breen
add missing PR feedback
2ee40ed
@sean-breen
remove error log message
3cbf80a
@sean-breen
fix unit test
95403c9
@sean-breen
Fix apk test package naming (#961)
b36e5fd 
* modify alpine package name:
nginx-agent-3.0.0_1234 -> nginx-agent-3.0.0.1234

* protoc-gen update
@aphralG @sean-breen
Update agent config defaults and format (#959)
36f9e3c 
* update config defaults and format
@dhurley @sean-breen
Add config apply request queue (#949)
81a70e1
@sean-breen
add unit tests for transport credentials funtions
e096397
@sean-breen
fix test name
df3b793
@sean-breen
fix error message
a44ca08
@sean-breen
fix lint error: lll
8d61593
@sean-breen
modify error messages
459c0d5
@sean-breen
remove error logging and modify messages
f26c45e
@sean-breen
fall back to token field if error occurs when reading file
371c72b
@sean-breen
Merge branch 'v3' into key-via-file-path
cd74bd4
@sean-breen
fix bad merge
c9d792d
@sean-breen
restarting gRPC conn
e19afb4
@sean-breen
remove code from testing
e4656a9
@sean-breen
fix lint errors: whitespace, revive
369f19e
@sean-breen
add new topic for handling Token file updates
1d48001
@sean-breen
add CredentialWatcherService
4747c13
@sean-breen
adding initial watcher for credential files
a570d6d
@sean-breen
trigger connection reset after credential update
572c529
@sean-breen sean-breen requested a review from a team as a code owner February 13, 2025 10:36
@github-actions github-actions bot added the chore Pull requests for routine tasks label Feb 13, 2025
aphralG
aphralG reviewed Feb 19, 2025
View reviewed changes
internal/command/command_plugin_test.go Outdated Show resolved Hide resolved
internal/command/command_service.go Outdated Show resolved Hide resolved
internal/command/command_service.go Outdated Show resolved Hide resolved
internal/watcher/watcher_plugin.go
func (w *Watcher) monitorWatchers(ctx context.Context) {
for {
select {
case <-ctx.Done():
return
case message := <-w.credentialUpdatesChannel:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this watcher also need to be stopped during a config apply ? Or check if a config apply is in progress ?

@aphralG
Copy link
Contributor

aphralG commented Feb 19, 2025

Could the token path be added to the full config test internal/config/config_test.go

dhurley
dhurley reviewed Feb 19, 2025
View reviewed changes
internal/command/command_plugin.go
func (cp *CommandPlugin) processConnectionReset(ctx context.Context, msg *bus.Message) {
slog.DebugContext(ctx, "Command plugin received connection reset")
if newConnection, ok := msg.Data.(grpc.GrpcConnectionInterface); ok {
if !cp.commandService.IsConnected() {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If its not connected should we still update the command service with the new connection & client?

internal/command/command_plugin.go Outdated Show resolved Hide resolved
internal/file/file_plugin.go Outdated Show resolved Hide resolved
test/integration/grpc_management_plane_api_test.go Outdated
@@ -212,7 +212,7 @@ func TestGrpc_Reconnection(t *testing.T) {
require.NoError(t, err)
mockManagementPlaneAPIAddress = net.JoinHostPort(ipAddress, ports["9093/tcp"][0].HostPort)

time.Sleep(5 * time.Second)
time.Sleep(10 * time.Second)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of a sleep could we increase the retry max wait here instead? https://github.com/nginx/agent/blob/v3/test/integration/grpc_management_plane_api_test.go#L565

internal/watcher/credentials/credential_watcher_service.go Outdated Show resolved Hide resolved
internal/watcher/credentials/credential_watcher_service.go Outdated Show resolved Hide resolved
internal/watcher/credentials/credential_watcher_service.go Outdated Show resolved Hide resolved
internal/watcher/credentials/credential_watcher_service.go
)

const (
Create = fsnotify.Create
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these constants used?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, they're used in isEventSkippable to check the type of the incoming FSNotify event

agent/internal/watcher/credentials/credential_watcher_service.go

Line 192 in 5645b19

func isEventSkippable(event fsnotify.Event) bool {

internal/watcher/watcher_plugin.go Outdated Show resolved Hide resolved
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dhurley dhurley dhurley left review comments

@aphralG aphralG aphralG left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
chore Pull requests for routine tasks
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sean-breen @aphralG @dhurley @ryepup