Improve dynamic cert file change detection #104102
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
area/dependency
|
/assign @deads2k could you help triage? Thanks. /triage accepted |
k8s-ci-robot
added
triage/accepted
|
|
||
| // TODO this can be wired to an fsnotifier as well. | ||
| // start the loop that watches the CA file until stopCh is closed. | ||
| go wait.NonSlidingUntil(func() { c.watchCAFile(stopCh) }, time.Second, stopCh) |
There was a problem hiding this comment.
Since watchCAFile only returns on error, let's make the retry every minute instead of every second to avoid warm loops.
There was a problem hiding this comment.
Why non-sliding? I think we want the timer to interval to start when the function ends, not when it starts.
There was a problem hiding this comment.
Thanks for the review. watchCAFile also returns on file removal. The 1 second interval and non-sliding is for the mounted volume case: if a secret includes the CA bundle is mounted in a Pod, updating the secret leads to a file replacement, not content update. fsnotify watcher will receive a fsnotify.Remove event of the old file. If we use one minute as the interval and slidingUntil, it will restart the watch after one minute even the new file is ready immediately.
Maybe I could handle file removal in watchCAFile and start a new watch immediately without relying on the external loop. Then the external loop handles error case only and can wait longer interval.
There was a problem hiding this comment.
I have made the change, PTAL.
tnqn
force-pushed
the
dynamic-file
branch
2 times, most recently
from
bb24290
to
5eeae97
Compare
| if err := w.Add(c.filename); err != nil { | ||
| return fmt.Errorf("error adding watch for file %s: %v", c.filename, err) | ||
| } | ||
| c.queue.Add(workItemKey) |
There was a problem hiding this comment.
Do this before you remove the file and add it back. Doing it here means you could return an error and not trigger the workqueue for another minute.
There was a problem hiding this comment.
ditto, a trigger after starting watch is required to prevent the same race condition above. There is also a trigger in L188, which will trigger reload as long as the current file has any update. The two triggers can be merged by using defer but the routine will need to be wrapped in a function then. Please let me know which way you would prefer.
There was a problem hiding this comment.
I updated this a little to guarantee a resync will be triggered after any event is received and it will be executed after starting new watch if there is.
staging/src/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go
Show resolved
Hide resolved
| if err := w.Add(e.Name); err != nil { | ||
| return fmt.Errorf("error adding watch for file %s: %v", e.Name, err) | ||
| } | ||
| c.queue.Add(workItemKey) |
There was a problem hiding this comment.
remind me how cert/key mismatches are handled. A code reference comment right here about how it will handled when one is updated before the other would be helpful. Previously, at a one minute polling cycle it was pretty unlikely, but I'm hoping past-me did something clever.
There was a problem hiding this comment.
You definitely handled this well: the certificate and key are validated before they are used. If either is missing or they don't match, an error will be returned and workqueue will reschedule it later with rate limiter. I will add comment to explain it.
| func (c *DynamicFileCAContent) handleWatchEvent(e fsnotify.Event, w *fsnotify.Watcher) error { | ||
| // This should be executed after restarting the watch (if applicable) to ensure no file event will be missing. | ||
| defer c.queue.Add(workItemKey) | ||
| if e.Op&(fsnotify.Remove|e.Op&fsnotify.Rename) > 0 { |
There was a problem hiding this comment.
since you'll be pushing an update anyway, the project standard is to invert this check and return nil, so i think that's
if condition <=0{
return nil
}
w.remove
w.addThere was a problem hiding this comment.
done, thanks for the suggestion.
k8s-ci-robot
added
the
area/dependency
DynamicFileCAContent and DynamicCertKeyPairContent used periodical job to check whether the file content has changed, leading to 1 minute of delay in worst case. This patch improves it by leveraging fsnotify watcher. The content change will be reflected immediately.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, tnqn The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind bug
What this PR does / why we need it:
DynamicFileCAContent and DynamicCertKeyPairContent used periodical job to check whether the file content has changed, leading to 1 minute of delay in worst case. This patch improves it by leveraging fsnotify watcher. The content change will be reflected immediately.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
This is also a TODO @deads2k left in the code.
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: