Skip to content

release-24.1: security: cache certificate expiration metrics as pointers#142915

Merged
angles-n-daemons merged 1 commit intocockroachdb:release-24.1from
angles-n-daemons:backport24.1-142682
Mar 17, 2025
Merged

release-24.1: security: cache certificate expiration metrics as pointers#142915
angles-n-daemons merged 1 commit intocockroachdb:release-24.1from
angles-n-daemons:backport24.1-142682

Conversation

@angles-n-daemons
Copy link
Contributor

@angles-n-daemons angles-n-daemons commented Mar 14, 2025

Backport 1/1 commits from #142682.

/cc @cockroachdb/release

security: cache certificate expiration metrics as pointers

Changes in #130110 were added to add labelled ttl metrics to client certificates. It achieved this by changing the system which cached certificate expiries to cache on a composite struct of two metrics, rather than just an expiration metric.

The struct itself housed the metrics as inline values, rather than pointers, so updates were registered in the cached values only, and not the registry in which they were reporting. This means that updates to client certificate expirations would not be reflected by the ttl or expiration metrics.

This ticket modifies those elements so that they are not copied when they are pulled from the cache.

Fixes: #142681
Epic: CRDB-40209

Release note (bug fix): Fixes bug in client certificate expiration metrics.

Release justification: fixes an a bug for customer certificate authentication

@angles-n-daemons angles-n-daemons requested a review from a team as a code owner March 14, 2025 18:05
@blathers-crl
Copy link

blathers-crl bot commented Mar 14, 2025
edited by angles-n-daemons
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Mar 14, 2025
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Mar 14, 2025

This change is Reviewable

@angles-n-daemons
security: cache certificate expiration metrics as pointers
0ab04cb 
Changes in cockroachdb#130110 were added to add labelled ttl metrics to
client certificates. It achieved this by changing the system
which cached certificate expiries to cache on a composite
struct of two metrics, rather than just an expiration
metric.

The struct itself housed the metrics as inline values,
rather than pointers, so updates were registered in the
cached values only, and not the registry in which they were
reporting. This means that updates to client certificate
expirations would not be reflected by the ttl or expiration
metrics.

This ticket modifies those elements so that they are not
copied when they are pulled from the cache.

Fixes: cockroachdb#142681
Epic: CRDB-40209

Release note (bug fix): Fixes bug in client certificate expiration metrics.
@angles-n-daemons angles-n-daemons merged commit c2009e9 into cockroachdb:release-24.1 Mar 17, 2025
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhartunian dhartunian dhartunian approved these changes

Assignees

No one assigned

Labels

backport Label PR's that are backports to older release branches T-observability v24.1.18

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@angles-n-daemons @cockroach-teamcity @dhartunian @crl-codesys-jira