cmd/contour: hot-reload certificates and key #2198
Conversation
Codecov Report
@@ Coverage Diff @@
## master #2198 +/- ##
==========================================
+ Coverage 78.16% 78.72% +0.55%
==========================================
Files 57 57
Lines 5034 5048 +14
==========================================
+ Hits 3935 3974 +39
+ Misses 1013 984 -29
- Partials 86 90 +4
Continue to review full report at Codecov.
|
stevesloka
added
the
release-note
|
Thanks for this @tsaarni! I want to take a look at this soon. =) |
|
I'd also like to review before merging. |
|
Here is hands-on instruction how I tested this on a deployed system:
kubectl -n projectcontour exec \
$(kubectl -n projectcontour get pod -l app=envoy -o jsonpath='{.items[0].metadata.name}') -- \
openssl s_client -connect contour:8001 -CAfile /ca/cacert.pem -cert /certs/tls.crt -key /certs/tls.key \
| openssl x509 -text -noout
kubectl -n projectcontour create secret tls contourcert \
--cert=certs/contour.pem --key=certs/contour-key.pem \
--dry-run -o yaml \
| kubectl apply -f -
In this sequence I assume that in step 2. the server certificate was re-created with the same old CA i.e. CA was not re-created. |
There was a problem hiding this comment.
I agree that this looks pretty good. I had a few small nits, but very happy with the tests here.
We should be sure that we are OK with reloading the certificates on every TLS connection, and file a separate issue to make sure that we document this as part of the certificate rotation guide.
cmd/contour/servecontext.go
Outdated
| @@ -221,6 +221,7 @@ func (ctx *serveContext) tlsconfig() *tls.Config { | |||
| err := ctx.verifyTLSFlags() | |||
| check(err) | |||
|
|
|||
| // load certificates and key to catch configuration errors early | |||
There was a problem hiding this comment.
Nit: Comments should be full sentences with punctuation (here and in other files):
// Load certificates and key to catch configuration errors early.
There was a problem hiding this comment.
Sure, I have now rewritten all my comments as full sentences.
cmd/contour/servecontext_test.go
Outdated
|
|
||
| // create temporary directory to store certificates and key for the server | ||
| configDir, err := ioutil.TempDir("", "contour-testdata-") | ||
| checkErr(t, err) |
There was a problem hiding this comment.
In this case, checkErr should call t.Fatalf. It looks like all the other uses in this file should be fatal too, so we can rename it to checkFatalErr or something, and update it.
There was a problem hiding this comment.
I renamed checkErr() to checkFatalErr() and changed it to call t.Fatal.
cmd/contour/servecontext_test.go
Outdated
| expectedServerCert: "testdata/2/contourcert.pem", | ||
| expectError: false, | ||
| }, | ||
| "fail to connect with bad client certificate": { |
There was a problem hiding this comment.
IIUC, this fails because the client and server don't agree on the CA root certificate to expect? Let's update the description.
There was a problem hiding this comment.
Yes exactly, I updated the description.
tsaarni
force-pushed
the
certificate-rotation
branch
from
5447ae5 to
57a7ef8
Compare
tsaarni
force-pushed
the
certificate-rotation
branch
from
57a7ef8 to
9c78362
Compare
This change adds support for certificate rotation for XDS gRPC interface between Contour and Envoy. It is achieved by lazily loading certificates and key every time new TLS connection is established by Envoy. This change addresses only the certificate rotation in Contour (server) and similar support is needed for Envoy (client) to cover the whole use case. Signed-off-by: Tero Saarni <[email protected]>
This change adds support for certificate rotation for XDS gRPC interface
between Contour and Envoy. It is achieved by lazily loading certificates
and key every time new TLS connection is established by Envoy.
This change addresses only the certificate rotation in Contour (server)
and similar support is needed for Envoy (client) to cover the whole use
case.
Signed-off-by: Tero Saarni [email protected]