Reapply sidecar injector CA bundle to prevent overwrite #6435
Conversation
pilot/pkg/kube/inject/webhook.go
Outdated
| @@ -210,7 +211,11 @@ func (wh *Webhook) Run(stop <-chan struct{}) { | |||
| log.Errorf("update error: %v", err) | |||
| break | |||
| } | |||
|
|
|||
| caCertPEM, err := ioutil.ReadFile(wh.certFile) | |||
There was a problem hiding this comment.
Does the server's cert file (wh.certFile) include the CA bundle?
There was a problem hiding this comment.
Ah, that was a mistake - fixed.
pilot/pkg/kube/inject/webhook.go
Outdated
| @@ -241,6 +247,13 @@ func (wh *Webhook) Run(stop <-chan struct{}) { | |||
| } | |||
| } | |||
|
|
|||
| // GetCABundlePEM returns the CA bundle PEM, read from the cert file. Safe for concurrent use. | |||
There was a problem hiding this comment.
Is the intent here to support CA cert rotation? If not, the caCertPEM re-load code can be removed.
There was a problem hiding this comment.
Yes, might as well include this since it's a minor addition.
pilot/cmd/sidecar-injector/main.go
Outdated
| @@ -86,6 +86,9 @@ var ( | |||
| return multierror.Prefix(err, "failed to patch webhook config") | |||
| } | |||
|
|
|||
| if err := patchCertLoop(wh.GetCABundlePEM); err != nil { | |||
There was a problem hiding this comment.
patchCert() can be removed with this change.
There was a problem hiding this comment.
Currently if we don't succeed within 1 min we get an error and exit. If this is removed, we would continue and just log the error. Is that acceptable?
pilot/cmd/sidecar-injector/main.go
Outdated
| @@ -131,6 +134,24 @@ func patchCert() error { | |||
| return err | |||
| } | |||
|
|
|||
| // patchCertLoop continually reapplies the caBundle PEM. This is required because it can be overwritten with empty | |||
| // values if the original yaml is reapplied (https://github.com/istio/istio/issues/6069). | |||
| func patchCertLoop(getCABundlePEM func() []byte) error { | |||
There was a problem hiding this comment.
This is an improvement over the existing (broken) behavior. It will lead to some noise in api-server logs. That could be mitigated by updating PatchMutatingWebhookConfig to skip invoking PATCH if the strategic merge patch is empty.
Ideally this would be driven by watching the webhook configuration (via watch or informer) and only PATCH'ing if change is observed. Is there a follow-up tracking issue for that work item?
There was a problem hiding this comment.
There is now: #6451
Codecov Report
@@ Coverage Diff @@
## master #6435 +/- ##
=======================================
+ Coverage 68% 68% +1%
=======================================
Files 357 351 -6
Lines 31086 30833 -253
=======================================
- Hits 21010 20847 -163
+ Misses 9240 9144 -96
- Partials 836 842 +6
Continue to review full report at Codecov.
|
pilot/cmd/sidecar-injector/main.go
Outdated
| @@ -86,6 +86,9 @@ var ( | |||
| return multierror.Prefix(err, "failed to patch webhook config") | |||
| } | |||
|
|
|||
| if err := patchCertLoop(wh.GetCABundlePEM); err != nil { | |||
There was a problem hiding this comment.
Currently if we don't succeed within 1 min we get an error and exit. If this is removed, we would continue and just log the error. Is that acceptable?
pilot/cmd/sidecar-injector/main.go
Outdated
| @@ -131,6 +134,24 @@ func patchCert() error { | |||
| return err | |||
| } | |||
|
|
|||
| // patchCertLoop continually reapplies the caBundle PEM. This is required because it can be overwritten with empty | |||
| // values if the original yaml is reapplied (https://github.com/istio/istio/issues/6069). | |||
| func patchCertLoop(getCABundlePEM func() []byte) error { | |||
There was a problem hiding this comment.
There is now: #6451
pilot/pkg/kube/inject/webhook.go
Outdated
| @@ -210,7 +211,11 @@ func (wh *Webhook) Run(stop <-chan struct{}) { | |||
| log.Errorf("update error: %v", err) | |||
| break | |||
| } | |||
|
|
|||
| caCertPEM, err := ioutil.ReadFile(wh.certFile) | |||
There was a problem hiding this comment.
Ah, that was a mistake - fixed.
pilot/pkg/kube/inject/webhook.go
Outdated
| @@ -241,6 +247,13 @@ func (wh *Webhook) Run(stop <-chan struct{}) { | |||
| } | |||
| } | |||
|
|
|||
| // GetCABundlePEM returns the CA bundle PEM, read from the cert file. Safe for concurrent use. | |||
There was a problem hiding this comment.
Yes, might as well include this since it's a minor addition.
pilot/pkg/kube/inject/webhook.go
Outdated
| defer wh.mu.Unlock() | ||
| return wh.caCertPEM | ||
| } | ||
|
|
There was a problem hiding this comment.
I didn't like entangling the patch functionality into this type, so I moved it entirely into main.
|
|
||
| if string(patch) != "{}" { | ||
| _, err = client.Patch(webhookConfigName, types.StrategicMergePatchType, patch) | ||
| } |
There was a problem hiding this comment.
Lines 103-105 are correct for validating webhook. You need to make the same change for the mutating webhook on line 61.
pilot/cmd/sidecar-injector/main.go
Outdated
| const retryTimes = 6 // Try for one minute. | ||
| // patchCertLoop continually reapplies the caBundle PEM. This is required because it can be overwritten with empty | ||
| // values if the original yaml is reapplied (https://github.com/istio/istio/issues/6069). | ||
| func patchCertLoop() error { |
There was a problem hiding this comment.
Can you also reference the tracking issue for watch triggered patch (#6451)? e.g.
// TODO(https://github.com/istio/istio/issues/6451) - only patch when caBundle changes
pilot/cmd/sidecar-injector/main.go
Outdated
| } | ||
|
|
||
| case <-watcher.Event: | ||
| caCertPem, err = ioutil.ReadFile(flags.caCertFile) |
There was a problem hiding this comment.
This doesn't filter on file event type (e.g. delete). Any chance that this read will fail in such cases and overwrite caCertPem with nil? Maybe something like the following?
if b, err := ioutil.ReadFile(flags.caCertFile); err != nil {
/* error */
} else {
caCertPem = b
}|
Verified that reapplying istio.yaml blows away caBundle but it is immediately restored. |
|
/hold cancel |
e7b8a0d to
6556a0a
Compare
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ayj, hklai, ostromart The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test istio-unit-tests |
|
@ostromart: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
See related issue istio#6435.
* Continuously reapply galley CA bundle to prevent overwrite See related issue #6435. * fix linter error * refactor CreateClientset() into common pkg/kube * linter fixes
* Reapply CA bundle to prevent overrwrite * Add watcher, move cert reapply out of webhook * Fix review comments * Patch loop should be in goroutine * Lint
* Continuously reapply galley CA bundle to prevent overwrite See related issue istio#6435. * fix linter error * refactor CreateClientset() into common pkg/kube * linter fixes
Fixes #6069
Tell me if this looks reasonable and I will test it.