Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Validate Hook to control the total count of AutoCertManager #1155

Merged
merged 5 commits into from
Dec 8, 2023
Merged

Use Validate Hook to control the total count of AutoCertManager #1155

merged 5 commits into from
Dec 8, 2023

Conversation

xxx7xxxx
Copy link
Contributor

@xxx7xxxx xxx7xxxx commented Dec 2, 2023

Based on the last pr #1144

@codecov-commenter
Copy link

codecov-commenter commented Dec 2, 2023
edited
Loading

Codecov Report

Attention: 31 lines in your changes are missing coverage. Please review.

Comparison is base (e8dc3e8) 81.25% compared to head (cb57009) 81.02%.

Files Patch % Lines
pkg/object/autocertmanager/autocertmanager.go 33.33% 22 Missing ⚠️
pkg/object/httpserver/spec.go 11.11% 7 Missing and 1 partial ⚠️
pkg/object/httpserver/mux.go 87.50% 1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1155      +/-   ##
==========================================
- Coverage   81.25%   81.02%   -0.23%     
==========================================
  Files         149      149              
  Lines       16946    16962      +16     
==========================================
- Hits        13769    13743      -26     
- Misses       2524     2562      +38     
- Partials      653      657       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

localvar
localvar reviewed Dec 3, 2023
View reviewed changes
pkg/object/httpserver/mux.go Outdated
acm := autocertmanager.GetGlobalAutoCertManager()
if acm == nil {
logger.Errorf("BUG: autocert manager not found")
stdw.WriteHeader(http.StatusServiceUnavailable)
return
}

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these lines are only need when the request is an HTTP01 challenge, so they could be moved into the next if block.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

pkg/object/httpserver/spec.go Outdated
tlsConf.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
return autocertmanager.GetCertificate(chi, !spec.AutoCert /* tokenOnly */)
return acm.GetCertificate(chi, !spec.AutoCert /* tokenOnly */)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could acm be nil here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We chose to make AutoCertManager to BusinessController because its properties do not seem like a system controller.

pkg/supervisor/supervisor.go Outdated
Comment on lines 160 to 161
err = s.cls.Put(s.cls.Layout().ConfigObjectKey(spec.Name()),
spec.JSONConfig())
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

per Go style guide.

Suggested change
err = s.cls.Put(s.cls.Layout().ConfigObjectKey(spec.Name()),
spec.JSONConfig())
err = s.cls.Put(s.cls.Layout().ConfigObjectKey(spec.Name()), spec.JSONConfig())

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated.

@xxx7xxxx xxx7xxxx changed the title Transform AutoCertManager to a system controller Use Validate Hook to control the total count of AutoCertManager Dec 5, 2023
suchen-sci
suchen-sci reviewed Dec 7, 2023
View reviewed changes
pkg/object/httpserver/spec.go Outdated
Comment on lines 141 to 148
acm, exists := autocertmanager.GetGlobalAutoCertManager()
if !exists {
return nil, fmt.Errorf("BUG: autocert manager is not initialized")
}

tlsConf.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
return acm.GetCertificate(chi, !spec.AutoCert /* tokenOnly */)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we may need to keep the atomic.Value in AutoCertManager. Here, acm here is the instance that existed when this HTTPServer is created.

Then suppose the user update the AutoCertManager or simply delete it. Then tlsConf.GetCertificate still use the old acm value.

I think every time GetCertificate is called, then we should dynamic load AutoCertManager and use the newest one. And since autocertmanager.GetGlobalAutoCertManager() is not very efficiency compare to actomic. We should use atomic.Value back.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need to use atomic.Value because it is called infrequently. But you're right we need to get acm in real time in tlsConf.GetCertificate.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tlsConf. GetCertificate is used to get certificate based on client hello message. When a client connect to https server, they send a client hello message. And golang use this client hello info to get certificate from autocertmanager. I am not sure if golang use cache for this. If not, it will be called every time a client connect to server. That can be a lot...

Anyway, atomic.Value brings no harm at all. Only benefits of efficiency.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

suchen-sci
suchen-sci reviewed Dec 7, 2023
View reviewed changes
pkg/object/httpserver/spec.go Outdated
Comment on lines 141 to 148
acm, exists := autocertmanager.GetGlobalAutoCertManager()
if !exists {
return nil, fmt.Errorf("there is no AutoCertManager")
}

tlsConf.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
return acm.GetCertificate(chi, !spec.AutoCert /* tokenOnly */)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

tlsConf.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) {
		acm, exists := autocertmanager.GetGlobalAutoCertManager()
		if !exists {
			return nil, fmt.Errorf("there is no AutoCertManager")
		}
		return acm.GetCertificate(chi, !spec.AutoCert /* tokenOnly */)
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inside of GetCertificate, we need to load atomic.Value every time to get newest instance...

@xxx7xxxx xxx7xxxx added this pull request to the merge queue Dec 8, 2023
Merged via the queue into easegress-io:main with commit c3ab195 Dec 8, 2023
8 checks passed
@xxx7xxxx xxx7xxxx deleted the autocert branch December 13, 2023 02:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@localvar localvar localvar approved these changes

@suchen-sci suchen-sci suchen-sci approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@xxx7xxxx @codecov-commenter @localvar @suchen-sci