From 6095cf897df69ad5236064bee05b9f9766152f1c Mon Sep 17 00:00:00 2001 From: Bharath B Date: Wed, 14 Aug 2024 21:09:45 +0530 Subject: [PATCH] NE-1803: Reload router when defaultDestinationCA is updated --- pkg/router/router_test.go | 18 ++++++++++++------ pkg/router/template/router.go | 28 ++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 6 deletions(-) diff --git a/pkg/router/router_test.go b/pkg/router/router_test.go index 1b747224e..2a8c3cda6 100644 --- a/pkg/router/router_test.go +++ b/pkg/router/router_test.go @@ -102,11 +102,16 @@ func TestMain(m *testing.M) { h.workdir = workdir h.dirs = map[string]string{ - "whitelist": filepath.Join(workdir, "router", "whitelists"), - "certs": filepath.Join(workdir, "router", "certs"), + "whitelist": filepath.Join(workdir, "router", "whitelists"), + "certs": filepath.Join(workdir, "router", "certs"), + "serviceCA": filepath.Join(workdir, "service-ca"), + "serviceCAData": filepath.Join(workdir, "service-ca", "..data/"), } createRouterDirs() + defaultDestinationCA := filepath.Join(h.dirs["serviceCA"], "service-ca.crt") + os.Create(filepath.Join(h.dirs["serviceCAData"], "service-ca.crt")) + os.Symlink(filepath.Join(h.dirs["serviceCAData"], "service-ca.crt"), defaultDestinationCA) // The template plugin which is wrapped svcFetcher := templateplugin.NewListWatchServiceLookup(client.CoreV1(), 60*time.Second, namespace) @@ -147,10 +152,11 @@ pgfj+yGLmkUw8JwgGH6xCUbHO+WBUFSlPf+Y50fJeO+OrjqPXAVKeSV3ZCwWjKT4 u3YLAbyW/lHhOCiZu2iAI8AbmXem9lW6Tr7p/97s0w== -----END RSA PRIVATE KEY----- `, - DefaultCertificateDir: h.dirs["certs"], - ReloadFn: func(shutdown bool) error { return nil }, - TemplatePath: "../../images/router/haproxy/conf/haproxy-config.template", - ReloadInterval: reloadInterval, + DefaultCertificateDir: h.dirs["certs"], + DefaultDestinationCAPath: defaultDestinationCA, + ReloadFn: func(shutdown bool) error { return nil }, + TemplatePath: "../../images/router/haproxy/conf/haproxy-config.template", + ReloadInterval: reloadInterval, HTTPResponseHeaders: []templateplugin.HTTPHeader{{ Name: "x-foo", Value: "'bar'", diff --git a/pkg/router/template/router.go b/pkg/router/template/router.go index 17ccccb9f..060742f8c 100644 --- a/pkg/router/template/router.go +++ b/pkg/router/template/router.go @@ -289,6 +289,9 @@ func newTemplateRouter(cfg templateRouterCfg) (*templateRouter, error) { if err := router.watchMutualTLSCert(); err != nil { return nil, err } + if err := router.watchCABundleCert(); err != nil { + return nil, err + } if router.dynamicConfigManager != nil { log.V(0).Info("initializing dynamic config manager ... ") router.dynamicConfigManager.Initialize(router, router.defaultCertificatePath) @@ -1521,3 +1524,28 @@ func privateKeysFromPEM(pemCerts []byte) ([]byte, error) { } return buf.Bytes(), nil } + +// watchCABundleCert watches the directory containing the CA bundle certificate +// and reloads the router if the directory contents change. +func (r *templateRouter) watchCABundleCert() error { + if len(r.defaultDestinationCAPath) == 0 { + log.V(0).Info("defaultDestinationCAPath is empty, file watcher not created") + return nil + } + + caBundleDir := filepath.Dir(r.defaultDestinationCAPath) + reloadFn := func() { + log.V(0).Info("reloading to get updated default destination CA certificate bundle") + r.rateLimitedCommitFunction.RegisterChange() + } + + if err := r.watchVolumeMountDir(caBundleDir, reloadFn); err != nil { + // On encountering an error will log it and not return the error because + // DefaultDestinationCAPath is an optional configuration parameter, and an + // error here shouldn't cause router to exit. + log.V(0).Error(err, "failed to establish watch on CA bundle certificate directory") + return nil + } + + return nil +}