Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keypair rotation #3208

Merged
merged 36 commits into from
Jul 20, 2023
Merged

Keypair rotation #3208

merged 36 commits into from
Jul 20, 2023

Conversation

Leo6Leo
Copy link
Contributor

@Leo6Leo Leo6Leo commented Jul 11, 2023
edited
Loading

Fixes #3164

Proposed Changes

  • Set up the watcher that listen to the changes in the mounted secret volume are detected by the watcher
  • Use updateSSLOptions to update the server SSL options when the changes in the mounted secret volume are detected by the watcher

Task List

Additional Note

Release Note

SSL options change when the mounted secret file changed

Docs

@knative-prow
Copy link

knative-prow bot commented Jul 11, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 11, 2023
@knative-prow knative-prow bot requested review from aliok and odacremolbap July 11, 2023 20:34
@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 11, 2023
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/control-plane area/data-plane labels Jul 11, 2023
@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 11, 2023

Today I was trying to directly modify the .key file by entering the bash of the pod kubectl exec -it kafka-sink-receiver-698ff747b4-75sg6 --namespace=knative-eventing -- /bin/sh, but it doesn't work with a lot of different attempts. :((

@Cali0707 suggested me to write some unit tests, so I will write some unit test to make sure my function works as expected tomorrow! :))

@pierDipi
Copy link
Member

Today I was trying to directly modify the .key file by entering the bash of the pod kubectl exec -it kafka-sink-receiver-698ff747b4-75sg6 --namespace=knative-eventing -- /bin/sh, but it doesn't work with a lot of different attempts. :((

Yes, our container filesystems are usually read-only, so you can't do that, see
https://cert-manager.io/docs/usage/certificate/, section: "Actions that will trigger a rotation of the private key"

@Cali0707 suggested me to write some unit tests, so I will write some unit test to make sure my function works as expected tomorrow! :))

@knative-prow-robot knative-prow-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 12, 2023
@knative-prow knative-prow bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jul 12, 2023
@codecov
Copy link

codecov bot commented Jul 12, 2023
edited
Loading

Codecov Report

Merging #3208 (7039365) into main (05694b6) will decrease coverage by 16.19%.
The diff coverage is 75.80%.

@@              Coverage Diff              @@
##               main    #3208       +/-   ##
=============================================
- Coverage     79.84%   63.65%   -16.19%     
- Complexity      763      774       +11     
=============================================
  Files            78      170       +92     
  Lines          2744    11915     +9171     
  Branches        246      250        +4     
=============================================
+ Hits           2191     7585     +5394     
- Misses          401     3754     +3353     
- Partials        152      576      +424
Flag Coverage Δ
java-unittests 80.14% <75.80%> (+0.29%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...eventing/kafka/broker/core/file/SecretWatcher.java 71.42% <71.42%> (ø)
...g/kafka/broker/receiver/impl/ReceiverVerticle.java 87.62% <78.78%> (+19.05%) ⬆️
.../broker/receiver/main/ReceiverVerticleFactory.java 78.57% <100.00%> (+1.64%) ⬆️

... and 92 files with indirect coverage changes

@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 12, 2023
@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 12, 2023
edited
Loading

@pierDipi @creydr I have switched to filesystem watcher, and by writing a small test, I can see that when the file changed, the update function will be called. I am wondering that am I on the right track?

OpenJDK 64-Bit Server VM warning: Sharing is only supported for boot loader classes because bootstrap classpath has been appended
18:02:26.782 [vert.x-eventloop-thread-1] INFO  dev.knative.eventing.kafka.broker.receiver.impl.ReceiverVerticle - Starting SecretWatcher
18:02:26.791 [Thread-2] INFO  dev.knative.eventing.kafka.broker.core.file.SecretWatcher - Detected change to secret tls.crt

@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 19, 2023
@knative-prow-robot knative-prow-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 19, 2023
@Leo6Leo Leo6Leo requested a review from pierDipi July 19, 2023 15:01
pierDipi
pierDipi reviewed Jul 19, 2023
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Leo6Leo !

...receiver/src/main/java/dev/knative/eventing/kafka/broker/receiver/impl/ReceiverVerticle.java Outdated Show resolved Hide resolved
...receiver/src/main/java/dev/knative/eventing/kafka/broker/receiver/impl/ReceiverVerticle.java Outdated Show resolved Hide resolved
data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/file/SecretWatcher.java Outdated Show resolved Hide resolved
data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/file/SecretWatcher.java Outdated Show resolved Hide resolved
data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/file/SecretWatcher.java Outdated Show resolved Hide resolved
Leo6Leo and others added 6 commits July 19, 2023 11:26
@Leo6Leo @pierDipi
Update data-plane/core/src/main/java/dev/knative/eventing/kafka/broke…
07d7e03 
…r/core/file/SecretWatcher.java

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
@Leo6Leo @pierDipi
Update data-plane/core/src/main/java/dev/knative/eventing/kafka/broke…
66e6b83 
…r/core/file/SecretWatcher.java

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
@Leo6Leo
Fixed all the comments in the second round of review
3d972f7
@Leo6Leo
Fixed all the comments in the second round of review
a3ad5a2
@Leo6Leo
Format fix
eeed8e2
@Leo6Leo
Format fix
c1dbead
@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 19, 2023

Should I try to implement this approach I mentioned here? #3208 (comment) @pierDipi

@Leo6Leo Leo6Leo requested a review from pierDipi July 19, 2023 15:36
@pierDipi
Copy link
Member

Should I try to implement this approach I mentioned here? #3208 (comment) @pierDipi

I'd say not required, more like a future enhancement?

@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 19, 2023

/retest

@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 19, 2023

/retest

1 similar comment
@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 19, 2023

/retest

@Leo6Leo
Copy link
Contributor Author

Leo6Leo commented Jul 19, 2023

/retest-required

pierDipi
pierDipi approved these changes Jul 20, 2023
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

/lgtm
/approve

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Jul 20, 2023
@knative-prow
Copy link

knative-prow bot commented Jul 20, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Leo6Leo, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 20, 2023
@pierDipi
Copy link
Member

/test channel-integration-tests-sasl-ssl

1 similar comment
@pierDipi
Copy link
Member

/test channel-integration-tests-sasl-ssl

@knative-prow knative-prow bot merged commit b30da88 into knative-extensions:main Jul 20, 2023
Rahul-Kumar-prog pushed a commit to Rahul-Kumar-prog/eventing-kafka-broker that referenced this pull request Jul 31, 2023
@Leo6Leo @pierDipi @Rahul-Kumar-prog
Keypair rotation (knative-extensions#3208)
d3ba9a5 
* Bump Quarkus to 3.1.2 Final (test failing)

* update the dependencies, and overwrite the antlr version

* Code-gen

* codegen

* Bump up vertx and coomplete codegen

* Trying to implement the keypair rotation

* Finish implementing the watcher

* codegen

* Write the filesystem watcher

* Execute the sslOptions update if the changes are detected

* Close the watcher if the vertx server is shut down

* Update data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/file/SecretWatcher.java

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>

* Separate the testing env and the production env

* Change the key and crt file names to use variable

* Change variable to private

* Updathe assert rules

* Format change

* Add the condition check for secretWatcher

* Update data-plane/receiver/src/main/java/dev/knative/eventing/kafka/broker/receiver/impl/ReceiverVerticle.java

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>

* Changed to use onSuccess and onFailure

* Move the injection to the constructor

* Update the ReceiverVerticleFactory

* reformat

* Update data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/file/SecretWatcher.java

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>

* Update data-plane/core/src/main/java/dev/knative/eventing/kafka/broker/core/file/SecretWatcher.java

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>

* Fixed all the comments in the second round of review

* Fixed all the comments in the second round of review

* Format fix

* Format fix

* codegen

---------

Co-authored-by: Pierangelo Di Pilato <pierangelodipilato@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierDipi pierDipi pierDipi approved these changes

@aliok aliok Awaiting requested review from aliok

@odacremolbap odacremolbap Awaiting requested review from odacremolbap

@matzew matzew Awaiting requested review from matzew

Assignees

@pierDipi pierDipi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/control-plane area/data-plane lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Eventing TLS: Support rotating TLS key pair
3 participants
@Leo6Leo @pierDipi @knative-prow-robot