Serving cert file OIDC provider #4190
Conversation
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
a92394e to
e5e56a9
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
47c3661 to
f146772
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
f146772 to
09acd52
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
284e928 to
c7f1bdf
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
c7f1bdf to
75123b3
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
5872843 to
92e89f0
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
92e89f0 to
50eb322
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
|
|
||
| tmpDir := t.TempDir() | ||
|
|
||
| writeFile(t, tmpDir+keyFilePath, oidcServerKeyPem) |
There was a problem hiding this comment.
maybe you can use filepath.Join here, to avoid using /
| certManager, err := NewDiskCertManager(&ServingCertFileConfig{ | ||
| CertFilePath: tmpDir + certFilePath, | ||
| KeyFilePath: tmpDir + keyFilePath, | ||
| FileSyncInterval: 10 * time.Millisecond, |
There was a problem hiding this comment.
instead continuos reloading, why not to use a clock mock? and advance time when required?
There was a problem hiding this comment.
This could make the test run faster, but we would still need to use require.Eventually to make some assertions since the time difference between loading a cert and moving the clock + making an assertion can cause errors.
| require.NoError(t, err) | ||
| } | ||
|
|
||
| func assertFileDontExist(t *testing.T, filePath string, err error) { |
There was a problem hiding this comment.
may you this to _posix_test || _windows_test and void this if?
There was a problem hiding this comment.
I did that initially, but I didn't like to have two extra files for differentiating only two string constants. Do you think it is worth it?
There was a problem hiding this comment.
how about putting them inside config_XXXX_test? both are on the same package, and you will no need another file
There was a problem hiding this comment.
I like the idea!
| if err != nil { | ||
| return nil, err | ||
| } | ||
| log.Info("Serving HTTPS using certificate loaded from disk") |
There was a problem hiding this comment.
may we add fields for used files?
|
|
||
| tlsConfig := certManager.TLSConfig() | ||
|
|
||
| tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{Port: 8080}) |
There was a problem hiding this comment.
is this hardcoded port ok?
There was a problem hiding this comment.
It should be 443 for default HTTPS
There was a problem hiding this comment.
The acme code for sure used 443. Now that we're not bound to ACME, this could probably be configurable so you don't need CAP_NET_BIND_SERVICE capabilities when testing it out...
There was a problem hiding this comment.
You're right, we can provide more flexibility now, I will introduce a new addr configuration in this section.
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
8743e34 to
c541a57
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
c541a57 to
3d36f1f
Compare
| @@ -56,13 +57,13 @@ The configuration file is **required** by the provider. It contains | |||
|
|
|||
| #### Considerations for Unix platforms | |||
|
|
|||
| [1]: One of `acme` or `listen_socket_path` must be defined. | |||
| [1]: One of `acme`, `serving_cert_file`, `listen_socket_path` must be defined. | |||
There was a problem hiding this comment.
I think we still want the "or" on these lines (same suggestion for the others):
| [1]: One of `acme`, `serving_cert_file`, `listen_socket_path` must be defined. | |
| [1]: One of `acme`, `serving_cert_file`, or `listen_socket_path` must be defined. |
| err = server.Shutdown(context.Background()) | ||
| if err != nil { |
There was a problem hiding this comment.
In general, it isn't safe to modify the err variable from the goroutine. In practice in this code it is fine because it isn't used after this point. It would be safer to use a new err variable, ideally scoped to the shutdown statement:
if err := server.Shutdown(context.Background()); err != nil {
log.Error(err)
}
| certManager, err := NewDiskCertManager(config.ServingCertFile, log) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| go func() { | ||
| certManager.WatchFileChanges(ctx) |
There was a problem hiding this comment.
nit: I'll accept this code as-is since it's happening in main, but ideally the lifetime of this goroutine is controlled by the net.Listener it returns, i.e. when the listener is closed, this goroutine shuts down and the listener waits for it to close.
|
|
||
| tlsConfig := certManager.TLSConfig() | ||
|
|
||
| tcpListener, err := net.ListenTCP("tcp", &net.TCPAddr{Port: 8080}) |
There was a problem hiding this comment.
The acme code for sure used 443. Now that we're not bound to ACME, this could probably be configurable so you don't need CAP_NET_BIND_SERVICE capabilities when testing it out...
Signed-off-by: Guilherme Carvalho <[email protected]>
|
@azdagron thank you very much for the review so far, I've addressed the last comments you made, could you review it again? 😄 |
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
b7baa15 to
d4e615f
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
d4e615f to
996e427
Compare
| | `key_file_path` | string | required | The private key file path, the file must contain PEM encoded data. | | | ||
| | `file_sync_interval` | duration | optional | Controls how frequently the service polls the files for changes. | 1 minute | | ||
| | `file_sync_interval` | duration | optional | Controls how frequently the service polls the files for changes. | 1 minute | | ||
| | `addr` | string | optional | Exposes the service on the given address. | :433 | |
There was a problem hiding this comment.
443 should be the default (multiple places to fix)
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
4dde3f1 to
dd04ac6
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
guilhermocc
force-pushed
the
serving-cert-file-oidc-provider
branch
from
dd04ac6 to
c18537e
Compare
Signed-off-by: Guilherme Carvalho <[email protected]>
* Add disk cert manager Signed-off-by: Guilherme Carvalho <[email protected]> Signed-off-by: Guilherme Carvalho <[email protected]> Signed-off-by: Neniel <[email protected]>
* Add disk cert manager Signed-off-by: Guilherme Carvalho <[email protected]> Signed-off-by: Guilherme Carvalho <[email protected]> Signed-off-by: Neniel <[email protected]>
* Add disk cert manager Signed-off-by: Guilherme Carvalho <[email protected]> Signed-off-by: Guilherme Carvalho <[email protected]> Signed-off-by: Neniel <[email protected]>
Pull Request check list
Affected functionality
oidc discovery provider HTTPS configuration.
Description of change
Add new configuration option for oidc discovery provider, so users can now use their own certificates to be used on HTTPS connections. The new configuration structure is described below:
Users can now indicate the file path of the certificate and private key that are going to be loaded from the disk and used for establishing TLS connections with clients. Upon start, oidc discovery provider will start watching for file changes in the provided paths and reload the certificate used for connections.
Which issue this PR fixes
Fixes #3825