Skip to content

Fix initial secret not being written to Kubernetes #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brandond merged 4 commits into from
May 20, 2022
Merged

Fix initial secret not being written to Kubernetes #59

brandond merged 4 commits into from
May 20, 2022

Conversation

@brandond
Copy link
Member

@brandond brandond commented May 11, 2022
edited
Loading

Updates to the secret that occurred before the controller was done syncing were not being written to Kubernetes. Subsequent updates to the secret would eventually get it written, but Rancher requires that the cert be written immediately. This was probably an unnecessary optimization anyway, so back it out in favor of just checking to see if the secrets controller is available.

Other fixes:

  • Fix improper handling of multiple goroutines attempting to create the Kubernetes secret at the same time; this was also handled eventually but caused an unnecessary round of extra writes to the secret.
  • Add warning when no cert is available on startup.
  • Add warning when signing operation may change the certificate's issuer - this may indicate a problem with inconsistent CAs between nodes.
  • Fix not adding IP SANs for IPv6 addresses.

Related to:

@brandond
Fix initial secret not being written to Kubernetes
8691868 
Updates to the secret that occurred before the controller was done
syncing were not being written to Kubernetes. Subsequent updates to the
secret would eventually get it written, but Rancher requires that the
cert be written immediately. This was probably an unnecessary
optimization anyway, so back it out in favor of just checking to see if
the secrets controller is available.

Also fixed improper handling of multiple goroutines attempting to create
the Kubernetes secret at the same time; this was also handled eventually
but caused an unnecessary round of extra writes to the secret.

Signed-off-by: Brad Davidson <[email protected]>
@brandond brandond mentioned this pull request May 11, 2022
Merged
steved
steved reviewed May 11, 2022
View reviewed changes
brandond added 2 commits May 11, 2022 13:41
@brandond
Send complete certificate chain, not just the leaf cert
35f1917 
Also, print a warning when signing may change the issuer.

Signed-off-by: Brad Davidson <[email protected]>
@brandond
We support IPv6 now, don't skip adding IPv6 address SANs
dd2177d 
Signed-off-by: Brad Davidson <[email protected]>
This was referenced May 11, 2022
Merged
Open
rmweir
rmweir suggested changes May 20, 2022
View reviewed changes
@brandond brandond requested a review from rmweir May 20, 2022 00:36
rmweir
rmweir approved these changes May 20, 2022
View reviewed changes
Copy link
Contributor

@rmweir rmweir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@brandond brandond merged commit d2b7e2a into rancher:master May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kinarashah kinarashah Awaiting requested review from kinarashah

@cbron cbron Awaiting requested review from cbron

3 more reviewers

@steved steved steved left review comments

@thedadams thedadams thedadams approved these changes

@rmweir rmweir rmweir approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@brandond @steved @thedadams @rmweir