Add a file watcher for Azure client cert auth #5254
Conversation
k8s-ci-robot
added
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
|
Hi @bryan-cox. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
needs-ok-to-test
bryan-cox
force-pushed
the
aro-hcp-cert-follow-up
branch
from
e5a9fa2
to
b7649d5
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
/retest |
bryan-cox
force-pushed
the
aro-hcp-cert-follow-up
branch
3 times, most recently
from
0352e27
to
e956714
Compare
|
/test pull-cluster-api-provider-azure-test |
bryan-cox
force-pushed
the
aro-hcp-cert-follow-up
branch
from
e956714
to
0b3bf20
Compare
Add a file watcher, utilizing fsnotify, to monitor the Azure client certificate authentication. If the file changes, the pod will need to be restarted since Azure SDK doesn't support hotloading a new certificate yet. Signed-off-by: Bryan Cox <[email protected]>
bryan-cox
force-pushed
the
aro-hcp-cert-follow-up
branch
from
0b3bf20
to
97352d2
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5254 +/- ##
=======================================
Coverage 52.78% 52.78%
=======================================
Files 270 271 +1
Lines 29057 29103 +46
=======================================
+ Hits 15337 15362 +25
- Misses 12928 12945 +17
- Partials 792 796 +4 ☔ View full report in Codecov by Sentry. |
| case event, ok := <-watcher.Events: | ||
| if ok && (event.Has(fsnotify.Write) || event.Has(fsnotify.Chmod) || event.Has(fsnotify.Remove)) { | ||
| klog.Infof("file, %s, was modified, exiting...", event.Name) | ||
| os.Exit(0) |
There was a problem hiding this comment.
Is there some more graceful way we can handle this? I don't remember off the top of my head what kinds of cleanup things we might be doing now in main (or will need to do in the future), but I'd prefer not to have to worry about that at all 😄.
There was a problem hiding this comment.
I'm open to alternative suggestions. This is just the pattern we were using in a different project for this specific scenario with Azure SDK not being able to hotload the new cert and requiring the pod to restart in order to use the new cert.
Maybe I'm missing it but I don't see any cleanup things in the main.go. Is that where you were referencing or was it someplace else.
There was a problem hiding this comment.
Azure SDK doesn't support hotloading a new certificate yet
What exactly does this mean? CAPZ orchestrates reading the cert from disk and using that to create a TokenCredential, and it's already doing that once in every reconciliation. Do successive calls to azidentity.NewClientCertificateCredential with different certificates not produce working creds?
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add a file watcher, utilizing fsnotify, to monitor the Azure client certificate authentication. If the file changes, the pod will need to be restarted since Azure SDK doesn't support hotloading a new certificate yet.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
This is a follow up to #5200
TODOs:
Release note: