Skip to content

Add watcher for upstreams TLS certificates #716

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 17, 2024
Merged

Add watcher for upstreams TLS certificates #716

merged 4 commits into from
Jul 17, 2024

Conversation

rubenvp8510
Copy link
Contributor

@rubenvp8510 rubenvp8510 commented Jun 15, 2024
edited
Loading

This PR adds a watcher for the certificates so in case of rotation, the certificates will be reloaded.

Added flags to disable/enable this per signal, and in the general server

@rubenvp8510 rubenvp8510 force-pushed the refresh_tls branch 2 times, most recently from 4fea880 to 44abbae Compare June 16, 2024 01:36
@periklis
Copy link
Contributor

Why only the traces endpoint? Can't we make it available but opt-in to every signal?

@rubenvp8510
Copy link
Contributor Author

Yes! I will extend this to all endpoints :)

@rubenvp8510 rubenvp8510 marked this pull request as ready for review June 18, 2024 06:50
douglascamata
douglascamata requested changes Jun 19, 2024
View reviewed changes
@rubenvp8510 rubenvp8510 force-pushed the refresh_tls branch 4 times, most recently from 412c763 to 917d08c Compare June 28, 2024 19:03
@rubenvp8510 rubenvp8510 force-pushed the refresh_tls branch 3 times, most recently from 9d6176f to 5b99c12 Compare June 30, 2024 01:28
@rubenvp8510 rubenvp8510 force-pushed the refresh_tls branch 3 times, most recently from de6c05e to a1957e6 Compare June 30, 2024 17:47
@rubenvp8510
Fix CA loading logic
a1957e6 
Signed-off-by: Ruben Vargas <[email protected]>
douglascamata
douglascamata reviewed Jul 2, 2024
View reviewed changes
Copy link
Contributor

@douglascamata douglascamata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for your work, @rubenvp8510.

This mostly looks good to me, I just have left a few minor comments regarding some documentation in the codebase. With them handled I think we'll be good to merge, imho.

@rubenvp8510 rubenvp8510 requested a review from douglascamata July 7, 2024 04:10
@rubenvp8510
Copy link
Contributor Author

@douglascamata Sorry for the late response. this is ready for review again. Thank you very much!

douglascamata
douglascamata requested changes Jul 9, 2024
View reviewed changes
Copy link
Contributor

@douglascamata douglascamata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor things left, imho.

douglascamata
douglascamata reviewed Jul 9, 2024
View reviewed changes
tls/options.go
type UpstreamOptions struct {
cert *stdtls.Certificate
ca []byte
certReloader *rbacproxytls.CertReloader
Copy link
Contributor

@douglascamata douglascamata Jul 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could improve the name here to try to make things easier to understand. *rbacproxytls.CertReloader is a certificate reloader for the tenants MTLS certs. So maybe UpstreamOptions.certReloader could be named UpstreamOptions.tenantsCertReloader.

Without this it makes me wonder: why there is a certReloader and a caReloader here? Both are certs! This makes me also confused about the separate startCertReloader and startCAReloader.

This brings me to wonder about the name of the struct itself. What is "upstream" in UpstreamOptions? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why tenantsCertReloader? I don't see where the tenants are involved here. Upstream means all upstream services for logs/metrics/traces. At least is the terminology that is used in all the gateway. for instance:

File containing the TLS client key to authenticate against upstream logs servers. Leave blank to disable mTLS.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Humm, I see. So I got it wrong. Probably we could clarify this. There are many certs everywhere, and reloaders for them, so things are confusing.

philipgough
philipgough approved these changes Jul 17, 2024
View reviewed changes
Copy link
Contributor

@philipgough philipgough left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

saswatamcode
saswatamcode approved these changes Jul 17, 2024
View reviewed changes
Copy link
Member

@saswatamcode saswatamcode left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@douglascamata douglascamata changed the title Add watcher to TLS certificates Add watcher for upstreams TLS certificates Jul 17, 2024
@douglascamata douglascamata merged commit aa210f8 into observatorium:main Jul 17, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@douglascamata douglascamata douglascamata approved these changes

@philipgough philipgough philipgough approved these changes

@saswatamcode saswatamcode saswatamcode approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@rubenvp8510 @periklis @douglascamata @philipgough @saswatamcode