Refresh client CA certificate if changed

[pooneh-m]

If a client CA certificate is changed for agones-allocator, it requires the service pod restart (delete and recreate). To allow picking up new secrets when updated, this change watches the secret mounted volume and if changed reload the certificates in the TLS config.

[agones-bot]

Build Succeeded 👏

Build Id: f478b823-cb29-4fa6-b6bc-e5f32a63d518

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.1.0-bcce774
• image: gcr.io/agones-images/agones-sdk:1.1.0-bcce774
• image: gcr.io/agones-images/agones-ping:1.1.0-bcce774
• Linux C++ SDK (build): agonessdk-1.1.0-bcce774-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.1.0-bcce774.zip

A preview of the website (the last 30 builds are retained):

• https://bcce774-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/GoogleCloudPlatform/agones.git pull/1145/head:pr_1145 && git checkout pr_1145
• helm install install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.1.0-bcce774

[markmandel]

/cc @cyriltovena is this a better approach than what we've done previously?

[pooneh-m]

/cc @cyriltovena is this a better approach than what we've done previously?

Can you please give a context? What are you comparing this with?

[markmandel]

/cc @cyriltovena is this a better approach than what we've done previously?

Can you please give a context? What are you comparing this with?

Good question - so we did stuff in the install path so that if the helm generated cert was updated, it would recreate the backing pods for webhooks, etc -- basically restarting the service to reload the file.

I guess the reasoning here is more for being able to cycle certs on a more regular basis without having to restart the whole service? (which does sound better!)

[roberthbailey]

I think this change doesn't preclude you from using helm to rotate the certs via container restarts (as was done before) but it enables you to also rotate them by updating secrets without restarting the containers. The two approaches aren't mutually exclusive.

[roberthbailey]

/assign

[pooneh-m]

I guess the reasoning here is more for being able to cycle certs on a more regular basis without having to restart the whole service? (which does sound better!)

I didn't notice there is question for me. Exactly, this removes the requirement for restarting pods to pick up the new certificates.

[roberthbailey]

I've lost track of where we are on this PR -- is it back in my court for review?

[pooneh-m]

I've lost track of where we are on this PR -- is it back in my court for review?

There is a feedback to address the thread safety concern by using RWMutex. I'll apply the change and will let you know when it is ready to review.

[agones-bot]

Build Failed 😱

Build Id: defd9aab-2c1f-4479-9983-9d3ba04d9cb3

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[agones-bot]

Build Succeeded 👏

Build Id: a9a0a395-f04e-4551-b386-f9e397c713bb

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.2.0-5a60ac0
• image: gcr.io/agones-images/agones-sdk:1.2.0-5a60ac0
• image: gcr.io/agones-images/agones-ping:1.2.0-5a60ac0
• Linux C++ SDK (build): agonessdk-1.2.0-5a60ac0-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.2.0-5a60ac0.zip

A preview of the website (the last 30 builds are retained):

• https://5a60ac0-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/GoogleCloudPlatform/agones.git pull/1145/head:pr_1145 && git checkout pr_1145
• helm install install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.2.0-5a60ac0

[agones-bot]

Build Failed 😱

Build Id: 116da623-c464-4163-bc38-f5068ac78b2f

• Cloud Build view
• Cloud Build log download

To get permission to view the Cloud Build view, join the agones-discuss Google Group.

[agones-bot]

Build Succeeded 👏

Build Id: 97cef46a-15c2-4078-8f27-0f4f10b99435

The following development artifacts have been built, and will exist for the next 30 days:

• image: gcr.io/agones-images/agones-controller:1.2.0-3f1061f
• image: gcr.io/agones-images/agones-sdk:1.2.0-3f1061f
• image: gcr.io/agones-images/agones-ping:1.2.0-3f1061f
• Linux C++ SDK (build): agonessdk-1.2.0-3f1061f-linux-arch_64.tar.gz
• SDK Server: agonessdk-server-1.2.0-3f1061f.zip

A preview of the website (the last 30 builds are retained):

• https://3f1061f-dot-preview-dot-agones-images.appspot.com/

To install this version:

• git fetch https://github.com/GoogleCloudPlatform/agones.git pull/1145/head:pr_1145 && git checkout pr_1145
• helm install install/helm/agones --namespace agones-system --name agones --set agones.image.tag=1.2.0-3f1061f

[google-oss-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pooneh-m, roberthbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pooneh-m,roberthbailey]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment