Change haproxy router to use a certificate list/map file. #11217
Conversation
|
[test] |
1 similar comment
|
[test] |
| */}} | ||
| {{ define "/var/lib/haproxy/conf/cert_config.map" }} | ||
| {{ $workingDir := .WorkingDir }} | ||
| {{ range $idx, $cfg := .State }} |
There was a problem hiding this comment.
is idx stable? When are the files on disk updated relative to the config being written and reloaded?
There was a problem hiding this comment.
idx stable - didn't get what you mean by that? The files on disk are actually created/updated as routes get processed.
There was a problem hiding this comment.
we're mapping {{$idx}}.pem to a particular hostname. as routes get added/removed, will $idx refer to a different route, and will {{$idx}}.pem be overwritten with a different route's cert?
if that happens asynchronously to the way the config is generated and reloaded, what does haproxy do in the meantime? does it ignore changes to the certs in the dir? does it pick up file changes?
There was a problem hiding this comment.
So that's the internally generated name of the route namespace+name, so it is unique for routes. So it is "stable".
As re: haproxy loading the cert - it would only do it now if there is an entry in the mapping file it loads at startup. New entries in the mapping file would only be "used" after the next reload. The flip side is on a route delete, the cert would be deleted before the reload.
There was a problem hiding this comment.
that's the internally generated name of the route namespace+name, so it is unique for routes
Unique is good. How does the map behave if multiple routes have the same host but specify different certs?
on a route delete, the cert would be deleted before the reload.
do we know if that causes errors or falls back to the default cert or something else? Do we need to move cert deletions to occur after the template is generated and haproxy is reloaded?
| @@ -464,7 +464,6 @@ echo "[INFO] Validating routed app response..." | |||
| # will be reachable via the ip of its pod. | |||
| router_ip=$(oc get pod "${router_pod}" --template='{{.status.podIP}}') | |||
| CONTAINER_ACCESSIBLE_API_HOST="${CONTAINER_ACCESSIBLE_API_HOST:-${router_ip}}" | |||
| validate_response "-s -k --resolve www.example.com:443:${CONTAINER_ACCESSIBLE_API_HOST} https://www.example.com" "Hello from OpenShift" 0.2 50 | |||
There was a problem hiding this comment.
What was this testing before?
There was a problem hiding this comment.
Have no idea - but it looked like it was expecting some remanent of a route to exist. The right test would be to create the route and see that it works - which is what the code that follows does.
There was a problem hiding this comment.
that's testing the route that was created earlier from the stibuild template. not seeing why we should delete this
There was a problem hiding this comment.
I'l take a look and see - might be that the route created is not valid (TLS config).
There was a problem hiding this comment.
did the map change break the "default cert" behavior of the router? I really don't want to remove this test if it was previously passing and suddenly failed with this PR
There was a problem hiding this comment.
sorry I thought this was the extended validation PR. I have to check this and see what's amiss here.
|
No the default cert behavior remains similar. If the host is not in the map (earlier this was not in the directory), then the default cert would be used. |
|
[test] to see failure |
|
ssh failure [test] |
|
@liggitt looks like the endpoints for the |
|
Looks like this is the error: Will look at where the route is created later today. And that's the reason why deleting the route and re-adding it works. I suspect it was using the default certificate previously which is why we didn't see errors - though that was probably not the intention for the test. So the downside is checks will be stricter with this change. @liggitt any thoughts/comments? |
|
ok this should fix the issue with the test failing. |
|
Evaluated for origin test up to 5ce393c |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9718/) |
what was the change? I'm missing the diff |
not sure what you mean by that... does that mean that previously, invalid certs were tolerated in the directory, and they are not tolerated in the map? |
|
@liggitt ignore the second comment on the stricter checks. The real failure was the cert file didn't exist (and was in the map). We don't write cert files if the field doesn't exist and the template code checks if there is a cert before adding an entry to the map. Edited typo field doesn't exist |
|
Ah, sounds good. LGTM |
|
Oh, how does the map handle multiple routes (presumably in the same namespace) pointing to the same host? |
|
@liggitt similar to the previous version, the certs would be picked up from the alphabetically first route in the same namespace. The first loaded certificate is how haproxy |
|
you can't sort go maps... you'll need to switch it to an array, which is not compatible with existing templates, right? |
|
the map file in question here is the |
|
Actually, I just realized we already sort all the maps thanks to |
|
this looks fine, can you make sure we have a test case with same host, different certs, and make sure it behaves as we expect? can be in a follow-up |
|
@liggitt will do in a follow up (or as part of the wildcard domain one as it would need something as well). Thx |
|
[merge] |
|
re-[merge] network seems to have failed on AWS |
|
du failed |
|
[merge] previous error was flake #11094 |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pr_origin/9718/) (Image: devenv-rhel7_5179) |
|
Evaluated for origin merge up to 5ce393c |
As discussed in #11201 pulling out the haproxy router changes to use a map for presenting certs with SNI in lieu of serving all certificates from a directory. The map file is reverse-keyed on the host.
Example entries:
@liggitt @rajatchopra @knobunc PTAL thx