Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCPBUGS-38503: Reload router when defaultDestinationCA is updated #537

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 12 additions & 6 deletions pkg/router/router_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -102,11 +102,16 @@ func TestMain(m *testing.M) {

h.workdir = workdir
h.dirs = map[string]string{
"whitelist": filepath.Join(workdir, "router", "whitelists"),
"certs": filepath.Join(workdir, "router", "certs"),
"whitelist": filepath.Join(workdir, "router", "whitelists"),
"certs": filepath.Join(workdir, "router", "certs"),
"serviceCA": filepath.Join(workdir, "service-ca"),
"serviceCAData": filepath.Join(workdir, "service-ca", "..data/"),
}

createRouterDirs()
defaultDestinationCA := filepath.Join(h.dirs["serviceCA"], "service-ca.crt")
os.Create(filepath.Join(h.dirs["serviceCAData"], "service-ca.crt"))
os.Symlink(filepath.Join(h.dirs["serviceCAData"], "service-ca.crt"), defaultDestinationCA)

// The template plugin which is wrapped
svcFetcher := templateplugin.NewListWatchServiceLookup(client.CoreV1(), 60*time.Second, namespace)
Expand Down Expand Up @@ -147,10 +152,11 @@ pgfj+yGLmkUw8JwgGH6xCUbHO+WBUFSlPf+Y50fJeO+OrjqPXAVKeSV3ZCwWjKT4
u3YLAbyW/lHhOCiZu2iAI8AbmXem9lW6Tr7p/97s0w==
-----END RSA PRIVATE KEY-----
`,
DefaultCertificateDir: h.dirs["certs"],
ReloadFn: func(shutdown bool) error { return nil },
TemplatePath: "../../images/router/haproxy/conf/haproxy-config.template",
ReloadInterval: reloadInterval,
DefaultCertificateDir: h.dirs["certs"],
DefaultDestinationCAPath: defaultDestinationCA,
ReloadFn: func(shutdown bool) error { return nil },
TemplatePath: "../../images/router/haproxy/conf/haproxy-config.template",
ReloadInterval: reloadInterval,
HTTPResponseHeaders: []templateplugin.HTTPHeader{{
Name: "x-foo",
Value: "'bar'",
Expand Down
28 changes: 28 additions & 0 deletions pkg/router/template/router.go
Original file line number Diff line number Diff line change
Expand Up @@ -289,6 +289,9 @@ func newTemplateRouter(cfg templateRouterCfg) (*templateRouter, error) {
if err := router.watchMutualTLSCert(); err != nil {
return nil, err
}
if err := router.watchCABundleCert(); err != nil {
return nil, err
}
if router.dynamicConfigManager != nil {
log.V(0).Info("initializing dynamic config manager ... ")
router.dynamicConfigManager.Initialize(router, router.defaultCertificatePath)
Expand Down Expand Up @@ -1521,3 +1524,28 @@ func privateKeysFromPEM(pemCerts []byte) ([]byte, error) {
}
return buf.Bytes(), nil
}

// watchCABundleCert watches the directory containing the CA bundle certificate
// and reloads the router if the directory contents change.
func (r *templateRouter) watchCABundleCert() error {
if len(r.defaultDestinationCAPath) == 0 {
log.V(0).Info("defaultDestinationCAPath is empty, file watcher not created")
return nil
}

caBundleDir := filepath.Dir(r.defaultDestinationCAPath)
reloadFn := func() {
log.V(0).Info("reloading to get updated default destination CA certificate bundle")
r.rateLimitedCommitFunction.RegisterChange()
}

if err := r.watchVolumeMountDir(caBundleDir, reloadFn); err != nil {
// On encountering an error will log it and not return the error because
// DefaultDestinationCAPath is an optional configuration parameter, and an
// error here shouldn't cause router to exit.
log.V(0).Error(err, "failed to establish watch on CA bundle certificate directory")
return nil
bharath-b-rh marked this conversation as resolved.
Show resolved Hide resolved
}

return nil
}