Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow webhook to load certs dynamically. #4329

Merged
merged 4 commits into from
Mar 20, 2018
Merged

Conversation

yusuoh
Copy link

@yusuoh yusuoh commented Mar 16, 2018

No description provided.

@yusuoh yusuoh requested a review from ayj March 16, 2018 17:57
@istio-merge-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
We suggest the following additional approver: ijsnellf

Assign the PR to them by writing /assign @ijsnellf in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@codecov
Copy link

codecov bot commented Mar 16, 2018

Codecov Report

Merging #4329 into master will increase coverage by 3%.
The diff coverage is 80%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master   #4329    +/-   ##
=======================================
+ Coverage      71%     74%    +3%     
=======================================
  Files         315     313     -2     
  Lines       29141   28965   -176     
=======================================
+ Hits        20472   21164   +692     
+ Misses       7444    6485   -959     
- Partials     1225    1316    +91
Impacted Files Coverage Δ
pilot/pkg/kube/inject/webhook.go 85% <80%> (+4%) ⬆️
pilot/pkg/serviceregistry/kube/cache.go 63% <0%> (-37%) ⬇️
mixer/pkg/api/grpcServer.go 74% <0%> (-26%) ⬇️
...olarwinds/internal/papertrail/papertrail_logger.go 62% <0%> (-18%) ⬇️
pilot/pkg/config/aggregate/config.go 78% <0%> (-16%) ⬇️
...rity/cmd/node_agent_k8s/workloadapi/workloadapi.go 42% <0%> (-12%) ⬇️
pilot/pkg/config/memory/monitor.go 82% <0%> (-9%) ⬇️
mixer/adapter/solarwinds/metrics_handler.go 75% <0%> (-8%) ⬇️
pilot/pkg/config/monitor/monitor.go 69% <0%> (-6%) ⬇️
mixer/adapter/prometheus/prometheus.go 83% <0%> (-5%) ⬇️
... and 53 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update d6c99f9...c38d683. Read the comment docs.

@yusuoh yusuoh requested a review from costinm March 19, 2018 18:30
@@ -230,6 +241,12 @@ func (wh *Webhook) Run(stop <-chan struct{}) {
}
}

func (wh *Webhook) getCert(*tls.ClientHelloInfo) (*tls.Certificate, error) {
defer wh.mu.Unlock()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Invert the order here to adhere to existing conventions, e.g.

wh.mu.Lock()
defer wh.mu.Unlock()

cleanup()
t.Fatalf("WriteFile(%v) failed: %v", wh.keyFile, err)
}
time.Sleep(5 * watchDebounceDelay)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is potentially flaky. Could we use https://onsi.github.io/gomega/#eventually here to (a) increase the retry multiple times with a longer duration and (b) exist early once the condition is satisfied. A few seconds upper bound seems reasonable for more consistent tests, particularly if the common case is much faster than that.

g := gomega.NewGomegaWithT(t)
g.Eventually(func() bool {
return checkCert(t, wh, rotatedCert, rotatedKey)
}, "10s", "1s").Should(gomega.BeTrue())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/1s/100ms to speed things up in the best case.

}, "10s", "1s").Should(gomega.BeTrue())
}

func checkCert(t *testing.T, wh *Webhook, cert, key []byte) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a t.Helper() here to mark the function as a test helper (see https://golang.org/pkg/testing/#T.Helper). This will improve file/line information in prints.

@yusuoh
Copy link
Author

yusuoh commented Mar 20, 2018

/retest

@yusuoh
Copy link
Author

yusuoh commented Mar 20, 2018

/test all

@istio-testing
Copy link
Collaborator

istio-testing commented Mar 20, 2018

@yusuoh: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
prow/istio-unit-tests.sh c38d683 link /test istio-unit-tests

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@yusuoh yusuoh merged commit 3cf740a into istio:master Mar 20, 2018
@yusuoh yusuoh deleted the webhook4 branch March 20, 2018 18:40
PiotrSikora added a commit to PiotrSikora/istio that referenced this pull request Sep 13, 2018
Pulling the following changes from github.com/istio/proxy:

f498337 Fix a bug in origin authenticator that wrongly treats empty origin methods as pass (istio#1962)
c352de0 Mixer Client: Add support for TCP local attributes (istio#1967)
2c563c6 remove not used path patcher functions (istio#1966)
490d26f Update Envoy SHA to latest with TCP proxy fixes. (istio#1964)
4cc4b7c Mixer Client uses Node metadata to populate Mixer attributes (istio#1961)
cf23357 Fix the peerIsOptional and originIsOptional for authn filter. (istio#1959)
cc6e58e support per-path JWT validation. (istio#1928)
a5dd1aa mixer: clear route cache on header update (istio#1946)

Pulling the following changes from github.com/envoyproxy/envoy:

f936fc60f ssl: serialize accesses to SSL socket factory contexts (istio#4345)
e34dcd62a Fix crash in tcp_proxy (istio#4323)
ae6a25222 router: fix matching when all domains have wildcards (istio#4326)
aa06142ff test: Stop fake_upstream methods from accidentally succeeding (istio#4232)
5d731878f rbac: update the authenticated.user to a StringMatcher. (istio#4250)
c6bfc7d9a time: Event::TimeSystem abstraction to make it feasible to inject time with simulated timers (istio#4257)
752483ea9 Fixing the fix (istio#4333)
83487f6f3 tls: update BoringSSL to ab36a84b (3497). (istio#4338)
7bc210e02 test: fixing interactions between waitFor and ignore_spurious_events (istio#4309)
69474b398 admin: order stats in clusters json admin (istio#4306)
2d155f901 ppc64le build (istio#4183)
07efc6dc6 fix static initialization fiasco problem (istio#4314)
0b7e3b5e0 test: Remove declared but undefined class methods (istio#4297)
1485a1304 lua: make sure resetting dynamic metadata wrapper when request info is marked dead
d243cd62e test: set to zero when start_time exceeds limit (istio#4328)
0a1e92acc test: fix heap use-after-free in ~IntegrationTestServer. (istio#4319)
cddc732c7 CONTRIBUTING: Document 'kick-ci' trick. (istio#4335)
f13ef2464 docs: remove reference to deprecated value field (istio#4322)
e947a2766 router: minor doc fixes in stream idle timeout (istio#4329)
0c2e998af tcp-proxy: fixing a TCP proxy bug where we attempted to readDisable a closed connection (istio#4296)
00ffe44a2 utility: fix strftime overflow handling. (istio#4321)
af1183c28 Re-enable TcpProxySslIntegrationTest and make the tests pass again. (istio#4318)
35534617b fuzz: fix H2 codec fuzzer post istio#4262. (istio#4311)
42f604853 Proto string issue fix (istio#4320)
9c492a01d Support Envoy to fetch secrets using SDS service. (istio#4256)
a8572192f ratelimit: revert `revert rate limit failure mode config` and add tests (istio#4303)
1d34172bd dns: fix exception unsafe behavior in c-ares callbacks. (istio#4307)
121242340 alts: add gRPC TSI socket (istio#4153)
f0363ae63 fuzz: detect client-side resets in H2 codec fuzzer. (istio#4300)
01aa3f820 test: hopefully deflaking echo integration test (istio#4304)
1fc0f4ba2 ratelimit: link legacy proto when message is being used (istio#4308)
aa4481e6b fix rare List::remove(&target) segfault (istio#4244)
89e0f23ba headers: fixing fast fail of size-validation (istio#4269)
97eba5918 build: bump googletest version. (istio#4293)
0057e22d9 fuzz: avoid false positives in HCM fuzzer. (istio#4262)
9d094e590 Revert ac0bd74f6f9716e3a44d1412f795317c30ca770a (istio#4295)
ddb28a4a1 Add validation context provider (istio#4264)
3b47cbabb added histogram latency information to Hystrix dashboard stream (istio#3986)
cf87d50cd docs: update SNI FAQ. (istio#4285)
f952033a4 config: fix update empty stat for eds (istio#4276)
329e591d3 router: Add ability of custom headers to rely on per-request data (istio#4219)
68d20b46c  thrift: refactor build files and imports (istio#4271)
5fa8192a3 access_log: log requested_server_name in tcp proxy (istio#4144)
fa45bb48f fuzz: libc++ clocks don't like nanos. (istio#4282)
53f8944f7 stats: add symbol table for future stat name encoding (istio#3927)
c987b425b test infra: Remove timeSource() from the ClusterManager api (istio#4247)
cd171d9a9 websocket: tunneling websockets (and upgrades in general) over H2 (istio#4188)
b9dc5d9a0 router: disallow :path/host rewriting in request_headers_to_add. (istio#4220)
0c9101127 network: skip socket options and source address for UDS client connections (istio#4252)
da1857d59 build: fixing a downstream compile error by noting explicit fallthrough (istio#4265)
9857cfe2a fuzz: cleanup per-test environment after each fuzz case. (istio#4253)
52beb067d test: Wrap proto string in std::string before comparison (istio#4238)
f5e219edc extensions/thrift_proxy: Add header matching to thrift router (istio#4239)
c9ce5d2b1 fuzz: track read_disable_count bidirectionally in codec_impl_fuzz_test. (istio#4260)
35103b353 fuzz: use nanoseconds for SystemTime in RequestInfo. (istio#4255)
ba6ba9883 fuzz: make runtime root hermetic in server_fuzz_test. (istio#4258)
b0a901480 time: Add 'format' test to ensure no one directly instantiates Prod*Time from source. (istio#4248)
85674603b access_log: support beginning of epoch in START_TIME. (istio#4254)
28d5f4118 proto: unify envoy_proto_library/api_proto_library. (istio#4233)
f7d3cb638 http: fix allocation bug introduced in istio#4211. (istio#4245)

Fixes istio#8310.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
istio-testing pushed a commit that referenced this pull request Sep 17, 2018
* Update Proxy SHA to latest with TCP proxy fixes.

Pulling the following changes from github.com/istio/proxy:

f498337 Fix a bug in origin authenticator that wrongly treats empty origin methods as pass (#1962)
c352de0 Mixer Client: Add support for TCP local attributes (#1967)
2c563c6 remove not used path patcher functions (#1966)
490d26f Update Envoy SHA to latest with TCP proxy fixes. (#1964)
4cc4b7c Mixer Client uses Node metadata to populate Mixer attributes (#1961)
cf23357 Fix the peerIsOptional and originIsOptional for authn filter. (#1959)
cc6e58e support per-path JWT validation. (#1928)
a5dd1aa mixer: clear route cache on header update (#1946)

Pulling the following changes from github.com/envoyproxy/envoy:

f936fc60f ssl: serialize accesses to SSL socket factory contexts (#4345)
e34dcd62a Fix crash in tcp_proxy (#4323)
ae6a25222 router: fix matching when all domains have wildcards (#4326)
aa06142ff test: Stop fake_upstream methods from accidentally succeeding (#4232)
5d731878f rbac: update the authenticated.user to a StringMatcher. (#4250)
c6bfc7d9a time: Event::TimeSystem abstraction to make it feasible to inject time with simulated timers (#4257)
752483ea9 Fixing the fix (#4333)
83487f6f3 tls: update BoringSSL to ab36a84b (3497). (#4338)
7bc210e02 test: fixing interactions between waitFor and ignore_spurious_events (#4309)
69474b398 admin: order stats in clusters json admin (#4306)
2d155f901 ppc64le build (#4183)
07efc6dc6 fix static initialization fiasco problem (#4314)
0b7e3b5e0 test: Remove declared but undefined class methods (#4297)
1485a1304 lua: make sure resetting dynamic metadata wrapper when request info is marked dead
d243cd62e test: set to zero when start_time exceeds limit (#4328)
0a1e92acc test: fix heap use-after-free in ~IntegrationTestServer. (#4319)
cddc732c7 CONTRIBUTING: Document 'kick-ci' trick. (#4335)
f13ef2464 docs: remove reference to deprecated value field (#4322)
e947a2766 router: minor doc fixes in stream idle timeout (#4329)
0c2e998af tcp-proxy: fixing a TCP proxy bug where we attempted to readDisable a closed connection (#4296)
00ffe44a2 utility: fix strftime overflow handling. (#4321)
af1183c28 Re-enable TcpProxySslIntegrationTest and make the tests pass again. (#4318)
35534617b fuzz: fix H2 codec fuzzer post #4262. (#4311)
42f604853 Proto string issue fix (#4320)
9c492a01d Support Envoy to fetch secrets using SDS service. (#4256)
a8572192f ratelimit: revert `revert rate limit failure mode config` and add tests (#4303)
1d34172bd dns: fix exception unsafe behavior in c-ares callbacks. (#4307)
121242340 alts: add gRPC TSI socket (#4153)
f0363ae63 fuzz: detect client-side resets in H2 codec fuzzer. (#4300)
01aa3f820 test: hopefully deflaking echo integration test (#4304)
1fc0f4ba2 ratelimit: link legacy proto when message is being used (#4308)
aa4481e6b fix rare List::remove(&target) segfault (#4244)
89e0f23ba headers: fixing fast fail of size-validation (#4269)
97eba5918 build: bump googletest version. (#4293)
0057e22d9 fuzz: avoid false positives in HCM fuzzer. (#4262)
9d094e590 Revert ac0bd74f6f9716e3a44d1412f795317c30ca770a (#4295)
ddb28a4a1 Add validation context provider (#4264)
3b47cbabb added histogram latency information to Hystrix dashboard stream (#3986)
cf87d50cd docs: update SNI FAQ. (#4285)
f952033a4 config: fix update empty stat for eds (#4276)
329e591d3 router: Add ability of custom headers to rely on per-request data (#4219)
68d20b46c  thrift: refactor build files and imports (#4271)
5fa8192a3 access_log: log requested_server_name in tcp proxy (#4144)
fa45bb48f fuzz: libc++ clocks don't like nanos. (#4282)
53f8944f7 stats: add symbol table for future stat name encoding (#3927)
c987b425b test infra: Remove timeSource() from the ClusterManager api (#4247)
cd171d9a9 websocket: tunneling websockets (and upgrades in general) over H2 (#4188)
b9dc5d9a0 router: disallow :path/host rewriting in request_headers_to_add. (#4220)
0c9101127 network: skip socket options and source address for UDS client connections (#4252)
da1857d59 build: fixing a downstream compile error by noting explicit fallthrough (#4265)
9857cfe2a fuzz: cleanup per-test environment after each fuzz case. (#4253)
52beb067d test: Wrap proto string in std::string before comparison (#4238)
f5e219edc extensions/thrift_proxy: Add header matching to thrift router (#4239)
c9ce5d2b1 fuzz: track read_disable_count bidirectionally in codec_impl_fuzz_test. (#4260)
35103b353 fuzz: use nanoseconds for SystemTime in RequestInfo. (#4255)
ba6ba9883 fuzz: make runtime root hermetic in server_fuzz_test. (#4258)
b0a901480 time: Add 'format' test to ensure no one directly instantiates Prod*Time from source. (#4248)
85674603b access_log: support beginning of epoch in START_TIME. (#4254)
28d5f4118 proto: unify envoy_proto_library/api_proto_library. (#4233)
f7d3cb638 http: fix allocation bug introduced in #4211. (#4245)

Fixes #8310.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

* Update go-control-plane API and fix test fails

* Fixed the pilot rbac build fail due to envoyproxy/envoy#4250
* Fixed the istioctl test fail due to envoyproxy/envoy#4306

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants