Refactor how we process Secrets #441
Comments
kate-osborn
added
tech-debt
pleshakov
added a commit
to pleshakov/nginx-gateway-fabric
that referenced
this issue
Jul 7, 2023
Problem: NKG doesn't watch for updates of TLS Secrets referenced by Gateway resource. Solution: - Move secrets processing into ChangeProcessor. - Introduce helper secretResolver component to resolve Secrets (includes validation) and capture resolved Secrets. - When building Gateway Listener, resolve Secrets using secretResolver. - When building Graph, add referenced Secrets by Gateway to the Graph, including the ones that don't exists. - When Upserting or Deleting a Secret to ChangeProccessor, use Graph to determine if the Secret is referenced by the Graph and thus changes the store. - When building Configuration, add all TLS Secrets to it referenced by _valid_ TLS Listeners. - Update NGINX file.Manager so that it can deal with multiple files of two types: regular and secret. - Remove SecretStore and SecretDiskMemoryManager components. Solves nginx#553 Solves nginx#441 Testing: - Update affected and add new unit tests - Manual testing - Conformance testing. Relevant tests pass: TestConformance/GatewayInvalidTLSConfiguration
pleshakov
added a commit
that referenced
this issue
Jul 7, 2023
Problem: NKG doesn't watch for updates of TLS Secrets referenced by Gateway resource. Solution: - Move secrets processing into ChangeProcessor. - Introduce helper secretResolver component to resolve Secrets (includes validation) and capture resolved Secrets. - When building Gateway Listener, resolve Secrets using secretResolver. - When building Graph, add referenced Secrets by Gateway to the Graph, including the ones that don't exists. - When Upserting or Deleting a Secret to ChangeProccessor, use Graph to determine if the Secret is referenced by the Graph and thus changes the store. - When building Configuration, add all TLS Secrets to it referenced by _valid_ TLS Listeners. - Update NGINX file.Manager so that it can deal with multiple files of two types: regular and secret. - Remove SecretStore and SecretDiskMemoryManager components. Solves #553 Solves #441 Testing: - Update affected and add new unit tests - Manual testing - Conformance testing. Relevant tests pass: TestConformance/GatewayInvalidTLSConfiguration
miledxz
added a commit
to miledxz/nginx-gateway-fabric
that referenced
this issue
Jan 14, 2025
Problem: NKG doesn't watch for updates of TLS Secrets referenced by Gateway resource. Solution: - Move secrets processing into ChangeProcessor. - Introduce helper secretResolver component to resolve Secrets (includes validation) and capture resolved Secrets. - When building Gateway Listener, resolve Secrets using secretResolver. - When building Graph, add referenced Secrets by Gateway to the Graph, including the ones that don't exists. - When Upserting or Deleting a Secret to ChangeProccessor, use Graph to determine if the Secret is referenced by the Graph and thus changes the store. - When building Configuration, add all TLS Secrets to it referenced by _valid_ TLS Listeners. - Update NGINX file.Manager so that it can deal with multiple files of two types: regular and secret. - Remove SecretStore and SecretDiskMemoryManager components. Solves nginx#553 Solves nginx#441 Testing: - Update affected and add new unit tests - Manual testing - Conformance testing. Relevant tests pass: TestConformance/GatewayInvalidTLSConfiguration
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, Secret are processed differently than other Gateway API resources.
Refactor Secret processing so that it is done similarly to other Gateway API resources: we can move Secrets into the graph, so they are processed as the rest of the resources. After we build the graph, we can build the configuration that will include the secrets to be written on the file disk.
Aha! Link: https://nginx.aha.io/features/NKG-52
The text was updated successfully, but these errors were encountered: