fix: CrashLoopBackOff once tlsProfile changed

[opokornyy]

What this PR does / why we need it:

This PR adds the usage of callbacks to Prometheus and the webhook server, enabling the dynamic reloading of the TLS configuration. This eliminates the necessity of restarting the SSP pod, which had previously led to the pod entering the CrashLoopBackOff state.

Fixes #

https://bugzilla.redhat.com/show_bug.cgi?id=2151248

Release note:

None

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[opokornyy]

/cc @0xFelix @akrejcir

[codingben]

Hi, if this PR is still under work, can you please convert it to Draft? so CI won't run.

[0xFelix]

In general this goes into the right direction. The GetConfigForClient functions still need to be deduplicated, improved and should not be lambda functions.

[0xFelix]

This func is never returning true, so it can likely be dropped.

[akrejcir]

I've removed my comment here, because it was irrelevant. Sorry for the noise.

[0xFelix]

Not sure we can do this. I don't think this allows to change the config later without restart?

[0xFelix]

What does it mean?

[0xFelix]

Ready replicas is dangerous, might better use UpdatedReplicas. @jcanocan

[jcanocan]

You can check both just to be sure.

[0xFelix]

Do not exit here, better return an error.

[0xFelix]

Not sure how expensive it is to load certs on every request. You might cache some of this.

[akrejcir]

Agreed.
There is already a certificate watcher in the controller-runtime library. Maybe we can use that, I will check...

[akrejcir]

Here it is: https://github.com/kubevirt/ssp-operator/blob/9d3869accf1c183cdf66b3fdf572a3d8e9ec5a2d/vendor/sigs.k8s.io/controller-runtime/pkg/certwatcher/certwatcher.go#L45-L44

You can simply create a new CertWatcher and then add it to the manager to start it. Or call Start() manually in a separate goroutine.

[codingben]

Can you please add a link to that function? e.g. so I can compare the changes here and there, if there any changes.

[codingben]

Can you please add a link to that function, in that file?

[codingben]

Can you please extract it to a new function, to keep runPrometheusServer() short?

[codingben]

Is it possible to keep that function outside of main()? I think it's a good practice to keep main() short function, it's easier to read the code that way.

[codingben]

Currently main() is very long and should be very short, in general.

[codingben]

Hi, if this PR is still under work, can you please convert it to Draft? so CI won't run.

Also I'd suggest to have shorter commit title, and update the PR description to be the same as commit description (so you won't forget to sync them later).

Now you have:

fix: SSP operator moving to CrashLoopBackOff after tlsProfile change

This commit adds the usage of callbacks to Prometheus and
Webhook server to fetch TLS config on every request.

Signed-off-by: Ondrej Pokorny <opokorny@redhat.com>

I'd suggest to give it a name according to "This commit will fix: CrashLoopBackOff once tlsProfile changed" sentence. For example:

fix: CrashLoopBackOff once tlsProfile changed

Add usage of callbacks to Prometheus and webhook
server to fetch TLS config on each client request.

Signed-off-by: Ondrej Pokorny <opokorny@redhat.com>

[jcanocan]

No need to log the error here. Just return the error and the calling function will log it for you

[jcanocan]

You can check both just to be sure.

[0xFelix]

Why not use the func in internal/common/crypto_policy.go?

[0xFelix]

common.GetSspTlsOptions is making API calls for every request if it stays like this. IMO we should have a Watcher/SharedInformer for the SSP CR and use it to retrieve the SSP if it was changed. Otherwise the SSP CR should be cached.

[0xFelix]

IMO we don't need to log this on every request.

[0xFelix]

Same issue as above, SSP CR needs to be cached.

[0xFelix]

Same as above.

[jcanocan]

Can we extract this to an external function? It is duplicated on getTLSConfigFunc().

[0xFelix]

Indeed

[0xFelix]

Please avoid globals.

[0xFelix]

Is there a lib for this too?

[opokornyy]

There is this function, but the problem is that it causes panic for some cipher names and we just want to log that the cipher is not supported

ssp-operator/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go

Lines 233 to 245 in fc1d67c

	func CipherSuitesOrDie(cipherNames []string) []uint16 {
	if len(cipherNames) == 0 {
	return DefaultCiphers()
	}
	cipherValues := []uint16{}
	for _, cipherName := range cipherNames {
	cipher, err := CipherSuite(cipherName)
	if err != nil {
	panic(err)
	}
	cipherValues = append(cipherValues, cipher)
	}
	return cipherValues

[0xFelix]

Can you dedup the calls to common.CipherIDs and crypto.TLSVersion? This block and the block below look very similar.

[0xFelix]

Indeed

[lyarwood]

/cc

[akrejcir]

A partial review. I will look at it more later.

[akrejcir]

Please keep the nil log here, because the change is not part of this PR. If you want, you can open a new PR to add the log.

[akrejcir]

This is not correct, because crypto.TLSVersion() function expects one of these names:

ssp-operator/vendor/github.com/openshift/library-go/pkg/crypto/crypto.go

Lines 37 to 42 in 9e99e78

	var versions = map[string]uint16{
	"VersionTLS10": tls.VersionTLS10,
	"VersionTLS11": tls.VersionTLS11,
	"VersionTLS12": tls.VersionTLS12,
	"VersionTLS13": tls.VersionTLS13,
	}

So a string like: VersionTLS12, but ti.sspTLSOptions.MinTLSVersion is a string returned by this function:

ssp-operator/internal/common/crypto_policy.go

Lines 119 to 134 in 11c2e89

	func tlsVersionToHumanReadable(version ocpv1.TLSProtocolVersion) (string, error) {
	switch version {
	case "":
	return "", nil
	case ocpv1.VersionTLS10:
	return "1.0", nil
	case ocpv1.VersionTLS11:
	return "1.1", nil
	case ocpv1.VersionTLS12:
	return "1.2", nil
	case ocpv1.VersionTLS13:
	return "1.3", nil
	default:
	return "", fmt.Errorf("invalid ocpv1.VersionTLS %v", version)
	}
	}

For example: 1.2.

[akrejcir]

Please move local imports to the block below.

[akrejcir]

Three comments for this function:

• After thinking about this more, I think it is better to have a parameter type cache.Cache instead of client.Client. It has the same reading methods as Client, but cannot be used for writing.
• Usually the context.Context parameter is the first.
• Please don't include the word Callback in a function name. In my opinion, it's better to name a function, by what it does, then by how it is used.

[akrejcir]

This line can be removed, because err is redefined below.

[akrejcir]

When this error is returned, the cfg parameter has already been modified. Can you change the code, so that on error, the cfg parameter is kept unchanged?

[akrejcir]

Similarly here, please keep the cfg unchanged on error.

[0xFelix]

This too?

[akrejcir]

Can you rename this function to newPrometheusServer()? Because it is a constructor.

[akrejcir]

Can you move this logic to prometheusServer.Start() method? It makes sense to call it when the server is started, not when it's created.

[akrejcir]

Similarly, can you move the certWatcher creation and start to the prometheusServer.Start() method?

[0xFelix]

Added some comments

[0xFelix]

Suggested change

	var tlsProfile *ocpconfigv1.TLSSecurityProfile
	if len(sspList.Items) != 0 {
	tlsProfile = sspList.Items[0].Spec.TLSSecurityProfile
	}
	if tlsProfile == nil {
	cfg.MinVersion = crypto.DefaultTLSVersion()
	cfg.CipherSuites = nil
	return cfg, nil
	}
	if len(sspList.Items) == 0 {
	cfg.MinVersion = crypto.DefaultTLSVersion()
	cfg.CipherSuites = nil
	return cfg, nil
	}
	tlsProfile := sspList.Items[0].Spec.TLSSecurityProfile

[0xFelix]

Do it like this?

[opokornyy]

We still need to check if spec.TLSSecurityProfile is nil or not, so we would need to do it like this

if len(sspList.Items) == 0 || sspList.Items[0].Spec.TLSSecurityProfile == nil {
  cfg.MinVersion = crypto.DefaultTLSVersion()
  cfg.CipherSuites = nil
  return cfg, nil
}

tlsProfile := sspList.Items[0].Spec.TLSSecurityProfile

[0xFelix]

ACK

[0xFelix]

Maybe inline this?

[0xFelix]

This too?

[0xFelix]

This too?

[0xFelix]

Merge it with L138?

[opokornyy]

It is not possible to call s.server.Handler.Handle() function, so we probably can not do it like that

[0xFelix]

ACK

[0xFelix]

This should assert that we have the amount of ready and updated replicaes specified in spec.Replicas. Not just >= 1.

[jcanocan]

@0xFelix @akrejcir @opokornyy I have two questions:

1. As it is now, as far as I was able to test, the crypto suite is not reverting TLS profiles to its original state. Should we fix this as part of this PR or as a follow-up? Could @opokornyy confirm if it's still happening with your code?
2. IIUC, when this PR lands, TLS configuration changes do not require restarting pods or even to update the pods. Am I right? I'm raising this because in case pods do not need to be updated, it's very likely that line Expect(deployment.Status.UpdatedReplicas).To(BeNumerically(">=", 1)) will never be satisfied.

Thanks! :)

[0xFelix]

One more question and one nit.

@jcanocan

1. IMO this should be fixed in a follow up PR. It has nothing to do with SSP restarting.
2. Good point!

[0xFelix]

nit: newline

[0xFelix]

Do we still need Eventually here, or does strategy.RevertToOriginalSspCr wait?

[opokornyy]

It should wait, based on the previous comment the waitting was needed just because of the bug

ssp-operator/tests/crypto_policy_test.go

Lines 110 to 112 in 96302e1

	// Because of bug[1], the SSP operator will move to CrashLoopBackOff state,
	// so we need to wait until it is running.
	// [1] - https://bugzilla.redhat.com/show_bug.cgi?id=2151248

ssp-operator/tests/tests_suite_test.go

Lines 360 to 364 in 96302e1

	func (s *existingSspStrategy) RevertToOriginalSspCr() {
	waitForSspDeletionIfNeeded(s.ssp)
	createOrUpdateSsp(s.ssp)
	waitUntilDeployed()
	}

[0xFelix]

Thinking about it, can't we drop all of this?

[opokornyy]

IMO we can drop it

[0xFelix]

Thank you! It looks good to me.

/approve
/retest-required

[kubevirt-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: 0xFelix

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [0xFelix]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[akrejcir]

Ideally we should use a different context for the certWatcher than ctx, so that it can be closed when this function returns on error.

We can do it in a follow-up PR.

[akrejcir]

The error should be returned from this function.

[akrejcir]

The documentation for ListenAndServeTLS() says that it always returns a non-nil error:
https://github.com/golang/go/blob/0ae54ddd37302bdd2a8c775135bf5f076a18eeb3/src/net/http/server.go#L3281-L3283

https://github.com/golang/go/blob/0ae54ddd37302bdd2a8c775135bf5f076a18eeb3/src/net/http/server.go#L3026-L3028

These links are for go 1.19 but the same comments are in master.

[akrejcir]

When below server.ListenAndServeTLS() returns because of an error, and this Start() function returns, this goroutine will still be waiting until context is closed.
Can you change the code, so that before the Start() returns, it makes sure that this goroutine has finished?

[akrejcir]

I've reconsidered this.
In this PR, we are already letting the above goroutine leak, from the Start() function, so this one can be left as is.

Can you add a // TODO comment to the code next to both goroutines, and open a new github issue, so that we don't forget to open a followup PR?

[opokornyy]

Done

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

No Coverage information
0.0% Duplication

[akrejcir]

/lgtm

[opokornyy]

/cherry-pick release-v0.18

[kubevirt-bot]

@opokornyy: new pull request created: #668

In response to this:

/cherry-pick release-v0.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.