Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reload VaultConfig if CAFile, CertFile, KeyFile have changed #6677

Closed
wants to merge 1 commit into from
Closed

Reload VaultConfig if CAFile, CertFile, KeyFile have changed #6677

wants to merge 1 commit into from
+48 −18

Conversation

Xopherus
Copy link
Contributor

Fixes #4395, #6052

@Xopherus Xopherus force-pushed the fix-vault-config-reload branch from 9208554 to 988c80c Compare November 12, 2019 13:28
@Xopherus Xopherus force-pushed the fix-vault-config-reload branch from 988c80c to 57b365d Compare November 12, 2019 13:34
@Xopherus Xopherus marked this pull request as ready for review November 12, 2019 16:51
@Xopherus Xopherus mentioned this pull request Nov 13, 2019
Open
notnoop
notnoop suggested changes Jan 6, 2020
View reviewed changes
Copy link
Contributor

@notnoop notnoop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for submitting the PR. Overall this is good, though need to be careful about mutations and tls files being updated in-place.

We, the nomad team, probably should consider having the internal structs contain the raw file bytes rather than file paths; this would ease reasoning around handling file modifications and detecting changes/drifts.

nomad/structs/config/vault.go

if a.Checksum == "" {
if err := a.SetChecksum(); err != nil {
return true, err
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feels like we should use false as the fail value. Besides being the zero value, if we were to accidentally ignore the returned error, we'd fail by refreshing vault config, which is a noop if files didn't actually change.

Noticed that the TLS config has that behavior in

nomad/nomad/structs/config/tls.go

Lines 253 to 260 in 8e4a5f1

// Set the checksum if it hasn't yet been set (this should happen when the
// config is parsed but this provides safety in depth)
if newConfig.Checksum == "" {
err := newConfig.SetChecksum()
if err != nil {
return false, err
}
}

Suggested change
return true, err
return false, err

nomad/structs/config/vault.go
}

// SetChecksum generates and sets the checksum for a Vault configuration.
func (a *VaultConfig) SetChecksum() error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This probably should be called by Merge() to avoid using a stale pre-merge checksum accidentally.

nomad/structs/config/vault.go
}
return true
return a.Checksum == b.Checksum, nil
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Populating SetChecksum lazily causes missing the first update. Consider the case where the tls files are manipulated in place and SIGHUP sent to nomad. The checksums for both objects would reflect the latest and this function returns true unexpectedly.

We probably should call SetChecksum during config initialization.

@Xopherus
Copy link
Contributor Author

@notnoop I appreciate the review. I did end up deploying a version of this to test in my stack and like you said, I found that this was incomplete. However I did leave a comment with some of my findings on #4593 (comment) and I think the scope is actually much larger than I initially expected. Certainly it's much larger of an effort that I can do by myself. That being said, I think this feature is sorely needed in order to run Nomad with Vault-backed TLS, and would be glad to help provide more information to the Nomad team to help make this happen.

If that's cool with you, then I think we can close this PR.

@Xopherus Xopherus closed this Apr 24, 2020
@Xopherus Xopherus deleted the fix-vault-config-reload branch April 24, 2020 18:25
@github-actions
Copy link

github-actions bot commented Jan 9, 2023

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 9, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@notnoop notnoop notnoop requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Xopherus @notnoop