Skip to content

release-24.3: security: cache certificate expiration metrics as pointers#142843

Merged
angles-n-daemons merged 1 commit intorelease-24.3from
blathers/backport-release-24.3-142682
Mar 17, 2025
Merged

release-24.3: security: cache certificate expiration metrics as pointers#142843
angles-n-daemons merged 1 commit intorelease-24.3from
blathers/backport-release-24.3-142682

Conversation

@blathers-crl
Copy link

@blathers-crl blathers-crl bot commented Mar 13, 2025
edited by angles-n-daemons
Loading

Backport 1/1 commits from #142682 on behalf of @angles-n-daemons.

/cc @cockroachdb/release

security: cache certificate expiration metrics as pointers

Changes in #130110 were added to add labelled ttl metrics to client certificates. It achieved this by changing the system which cached certificate expiries to cache on a composite struct of two metrics, rather than just an expiration metric.

The struct itself housed the metrics as inline values, rather than pointers, so updates were registered in the cached values only, and not the registry in which they were reporting. This means that updates to client certificate expirations would not be reflected by the ttl or expiration metrics.

This ticket modifies those elements so that they are not copied when they are pulled from the cache.

Fixes: #142681
Epic: CRDB-40209

Release note (bug fix): Fixes bug in client certificate expiration metrics.

Release justification: fixes an a bug for customer certificate authentication

@angles-n-daemons
security: cache certificate expiration metrics as pointers
63c6abe 
Changes in #130110 were added to add labelled ttl metrics to
client certificates. It achieved this by changing the system
which cached certificate expiries to cache on a composite
struct of two metrics, rather than just an expiration
metric.

The struct itself housed the metrics as inline values,
rather than pointers, so updates were registered in the
cached values only, and not the registry in which they were
reporting. This means that updates to client certificate
expirations would not be reflected by the ttl or expiration
metrics.

This ticket modifies those elements so that they are not
copied when they are pulled from the cache.

Fixes: #142681
Epic: CRDB-40209

Release note (bug fix): Fixes bug in client certificate expiration metrics.
@blathers-crl blathers-crl bot requested review from a team as code owners March 13, 2025 17:57
@blathers-crl blathers-crl bot added blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. labels Mar 13, 2025
@blathers-crl
Copy link
Author

blathers-crl bot commented Mar 13, 2025
edited by angles-n-daemons
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Mar 13, 2025
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Mar 13, 2025

This change is Reviewable

@angles-n-daemons angles-n-daemons merged commit 8da9043 into release-24.3 Mar 17, 2025
15 of 16 checks passed
@angles-n-daemons angles-n-daemons deleted the blathers/backport-release-24.3-142682 branch March 17, 2025 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhartunian dhartunian dhartunian approved these changes

Assignees

@angles-n-daemons angles-n-daemons

Labels

backport Label PR's that are backports to older release branches blathers-backport This is a backport that Blathers created automatically. O-robot Originated from a bot. T-observability v24.3.12

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cockroach-teamcity @dhartunian @angles-n-daemons @crl-codesys-jira