Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support tls cert rotation #831

Merged
merged 17 commits into from
May 26, 2023
Merged

feat: support tls cert rotation #831

merged 17 commits into from
May 26, 2023

Conversation

akashsinghal
Copy link
Collaborator

@akashsinghal akashsinghal commented May 16, 2023
edited
Loading

Description

What this PR does / why we need it:

  • Ratify's http server does not pick up changes to TLS certs. Currently, even if the underlying cert file changes, the in memory version will continue to be used for the duration of the server's lifetime.
  • This PR adds a custom config fetcher for TLS config so every new TLS connection reads the cert files from disk

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #821

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

  • Unit tests added
  • New e2e test

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@akashsinghal akashsinghal self-assigned this May 16, 2023
@akashsinghal
Copy link
Collaborator Author

Design doc: https://hackmd.io/@akashsinghal/BySB4VbHh

@codecov
Copy link

codecov bot commented May 16, 2023
edited
Loading

Codecov Report

Patch coverage: 57.69% and project coverage change: +0.23 🎉

Comparison is base (e331d6f) 54.66% compared to head (9e4e019) 54.90%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #831      +/-   ##
==========================================
+ Coverage   54.66%   54.90%   +0.23%     
==========================================
  Files          79       80       +1     
  Lines        4615     4732     +117     
==========================================
+ Hits         2523     2598      +75     
- Misses       1815     1850      +35     
- Partials      277      284       +7
Impacted Files Coverage Δ
httpserver/server.go 6.25% <0.00%> (ø)
httpserver/tlsManager.go 64.10% <64.10%> (ø)

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@akashsinghal akashsinghal changed the title [prototype] feat: support tls cert rotation feat: support tls cert rotation May 19, 2023
@akashsinghal akashsinghal marked this pull request as ready for review May 24, 2023 01:14
binbin-li
binbin-li reviewed May 25, 2023
View reviewed changes
httpserver/server.go Outdated Show resolved Hide resolved
httpserver/tlsManager.go Show resolved Hide resolved
httpserver/server.go Show resolved Hide resolved
httpserver/tlsManager_test.go Show resolved Hide resolved
@akashsinghal akashsinghal merged commit cd1983b into ratify-project:main May 26, 2023
@binbin-li binbin-li mentioned this pull request Jun 13, 2023
Merged
10 tasks
@akashsinghal akashsinghal deleted the akashsinghal/tlsCertRotation branch July 14, 2023 21:45
bspaans pushed a commit to bspaans/ratify that referenced this pull request Oct 17, 2023
@akashsinghal
feat: support tls cert rotation (ratify-project#831)
3e350a0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@binbin-li binbin-li binbin-li approved these changes

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees

@akashsinghal akashsinghal

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[bug] tls: bad certificate when gatekeeper cert gets rotated
2 participants
@akashsinghal @binbin-li