* Sync changes to Kubernetes secret through workqueue instead of goroutines with locks (#202)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit b12f85e82a)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* fix dynamic-cert.json permission (#196)
(cherry picked from commit 2fb4ae1e2e)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Fix panic on nil secret (#204)
Use configured secret namespace/name in error message, to avoid panicing if the secret is invalid because it is nil
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d9174a1f59)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Do not update memory storage with a nil secret (#205)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7ad41853e0)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Avoid creating certs that violate Apple requirements for macOS 10.15 (#208)
* Prevent creating non-standards compliant certs.
Changes generated certificates to have a NotBefore based on either the
CA NotBefore or the current time. This prevents creation of certificates
that are valid for too long making them return errors on platforms like
MacOS.
* Add license header and add test cases
(cherry picked from commit 3e35acfa52)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---------
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Siva Kanakala <siva.kanakala@suse.com>
Co-authored-by: Wesley <wesley19097@gmail.com>
When using a chained store of Kubernetes -> Memory -> File, a file-backed cert with a valid ResourceVersion could not be updated when the Kubernetes store was offline, as the Memory store was skipping the update if the ResourceVersion was not changed.
The Kubernetes store passes through the secret update without a modified ResourceVersion if the Secret controller is not yet available to round-trip the secret through the apiserver, as the apiserver is what handles updating the ResourceVersion when the Secret changes.
In RKE2, this caused a deadlock on startup when the certificate is expired, as the apiserver cannot be started until the cert is updated, but the cert cannot be updated until the apiserver is up.
Fix this by also considering the certificate hash annotation when deciding if the update can be skipped.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 242c2af2db)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Update actions/setup-go action to v5.4.0
* No point putting exact versions in the comments before an action.
The comment isn't updated by renovatebot, and the bot puts the
version next to the item being referenced.
---------
Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>
Co-authored-by: Eric Promislow <epromislow@suse.com>
Add a 'DisplayServerLogs' field.
When this option is true, all logs from the http.Server are displayed as errors.
This makes sense, because the docs for 'http.Server.ErrorLog' says mostly error messages
are written to it.
Unit tests need to use mutexes so we can have the logger write to a wrapped buffer
and safely read from it after writing is finished.