Suspect code in certwatcher.go #2182
Comments
|
A Could we maybe start by improving the current implementation to improve our current implementation, and potentially adding a polling mode? |
|
I like the idea of being able to watch a secret directly We are thinking about potentially getting rid of cert-manager for webhook certificates and a Certificate provider could help with that |
Wouldn't that work just fine with the current implementation without setting up a watch/controller/reconciler? The secret can be volume mounted in the container itself |
|
Don't want to divert to much from the original topic, but I was thinking about something like this:
I don't know if when I use an optional Secret the secret is mounted into the pod as soon as it exists. But just early thoughts. Need more research / exploration if something like this would work |
I think this pr #1897 has already make webhook TLSConfig configurable. So that a CertificateProvider is an interface which can provide a func like: CertificateProvider might make sense to be a convenience wrapper of TLSConfig
I'm agreed with that certwatcher should be generic enough for most folks, and it should be worked in most environments. fsnotify is not works within sandboxed or restricted environment contexts. Please refers to: Also , Other projects is also use filenotify (polling mode) to replace fsnotify I'm willing to submit a PR with support polling mode of certwatcher which make it be more generic for kinds of filesystem implements if you agreed with that. |
Related: |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
|
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
While investigating a bug around certificate rotation in one of our controllers, I had a look at the logic in certwatcher.go. I found a few things that gave me pause:
It looks like an overflow error is logged but otherwise unhandled:
controller-runtime/pkg/certwatcher/certwatcher.go
Line 129 in f127c11
Our initial read of the certificate takes place before starting the watch, which suggests a potential race condition if fsnotify doesn't send an initial (fake) "create" message
In general we don't surface errors from fsnotify e.g. if the channel is closed
controller-runtime/pkg/certwatcher/certwatcher.go
Line 118 in f127c11
I'm wondering if we should have a polling fallback; a simple os.Stat every 60 seconds or similar. In my particular scenario I'm watching the certificate in a k8s secret directly, so writing to disk and then relying on an fsnotify is just extra complexity.
Would we be open to a PR that accepts a CertificateProvider instead of requiring CertDir? Then I could prove out some of these other options and submit them upstream...
The text was updated successfully, but these errors were encountered: