backport issue 48484 (#203 )

Check certificate fingerprint when deciding if memory store needs to be updated (#180 )
When using a chained store of Kubernetes -> Memory -> File, a file-backed cert with a valid ResourceVersion could not be updated when the Kubernetes store was offline, as the Memory store was skipping the update if the ResourceVersion was not changed. The Kubernetes store passes through the secret update without a modified ResourceVersion if the Secret controller is not yet available to round-trip the secret through the apiserver, as the apiserver is what handles updating the ResourceVersion when the Secret changes. In RKE2, this caused a deadlock on startup when the certificate is expired, as the apiserver cannot be started until the cert is updated, but the cert cannot be updated until the apiserver is up. Fix this by also considering the certificate hash annotation when deciding if the update can be skipped. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit 242c2af2db) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2025-09-14 13:59:53 +00:00 · 2025-09-12 10:11:23 -03:00 · 2025-06-11 18:41:32 +00:00 · 2025-04-23 17:21:19 -07:00 · 2025-04-23 17:11:44 -07:00 · 2025-02-23 10:59:36 -08:00
9 changed files with 125 additions and 21 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -5,5 +5,22 @@
  "baseBranches": [
    "main", "release/v0.3", "release/v0.4", "release/v0.5"
  ],
-  "prHourlyLimit": 2
+  "prHourlyLimit": 2,
+  "packageRules": [
+    {
+      "matchPackagePatterns": [
+        "k8s.io/*",
+        "sigs.k8s.io/*",
+        "github.com/prometheus/*"
+      ],
+      "enabled": false
+    },
+    {
+      "matchPackagePatterns": [
+        "github.com/rancher/wrangler/*"
+      ],
+      "matchUpdateTypes": ["major", "minor"],
+      "enabled": false
+    }
+  ]
 }
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,11 +10,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
-      # https://github.com/actions/checkout/releases/tag/v4.1.1
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      # https://github.com/actions/checkout/releases/tag/VERSION
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Go
-      # https://github.com/actions/setup-go/releases/tag/v5.0.0
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      # https://github.com/actions/setup-go/releases/tag/VERSION
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
      with:
        go-version-file: 'go.mod'
-    - run: go test -race -cover ./...
+    - run: go test -v -race -cover ./...
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,7 +12,7 @@ jobs:
      contents: write
    steps:
      - name : Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Create release on Github
        run: |
--- a/.github/workflows/renovate-vault.yml
+++ b/.github/workflows/renovate-vault.yml
@@ -16,9 +16,13 @@ on:
  schedule:
    - cron: '30 4,6 * * *'

+permissions:
+  contents: read
+  id-token: write
+
 jobs:
  call-workflow:
-    uses: rancher/renovate-config/.github/workflows/renovate.yml@release
+    uses: rancher/renovate-config/.github/workflows/renovate-vault.yml@release
    with:
      logLevel: ${{ inputs.logLevel || 'info' }}
      overrideSchedule: ${{ github.event.inputs.overrideSchedule == 'true' && '{''schedule'':null}' || '' }}
--- a/VERSION.md
+++ b/VERSION.md
@@ -2,9 +2,9 @@ DynamicListener follows a pre-release (v0.x) strategy of semver. There is limite

 The current supported release lines are:

-| DynamicListener Branch | DynamicListener Minor version | Kubernetes Version Range |
-|--------------------------|------------------------------------|------------------------------------------------|
-| main | v0.6 | v1.27+ |
-| release/v0.5 | v0.5 | v1.26 - v1.30 |
-| release/v0.4 | v0.4 | v1.25 - v1.28 |
-| release/v0.3 | v0.3 | v1.23 - v1.27 |
+| DynamicListener Branch | DynamicListener Minor version | Kubernetes Version Range | Wrangler Version |
+|--------------------------|------------------------------------|------------------------------------------------|------------------------------------------------|
+| main | v0.6 | v1.27+ | v3 |
+| release/v0.5 | v0.5 | v1.26 - v1.30 | v3 |
+| release/v0.4 | v0.4 | v1.25 - v1.28 | v2 |
+| release/v0.3 | v0.3 | v1.23 - v1.27 | v2 |
--- a/factory/gen.go
+++ b/factory/gen.go
@@ -25,7 +25,7 @@ import (
 const (
 	cnPrefix    = "listener.cattle.io/cn-"
 	Static      = "listener.cattle.io/static"
-	fingerprint = "listener.cattle.io/fingerprint"
+	Fingerprint = "listener.cattle.io/fingerprint"
 )

 var (
@@ -189,7 +189,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 	secret.Type = v1.SecretTypeTLS
 	secret.Data[v1.TLSCertKey] = certBytes
 	secret.Data[v1.TLSPrivateKeyKey] = keyBytes
-	secret.Annotations[fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))
+	secret.Annotations[Fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))

 	return secret, true, nil
 }
--- a/server/server.go
+++ b/server/server.go
@@ -1,11 +1,13 @@
 package server

 import (
+	"bytes"
 	"context"
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
+	"io"
 	"log"
 	"net"
 	"net/http"
@@ -40,7 +42,24 @@ type ListenOpts struct {
 	// Override legacy behavior where server logs written to the application's logrus object
 	// were dropped unless logrus was set to debug-level (such as by launching steve with '--debug').
 	// Setting this to true results in server logs appearing at an ERROR level.
-	DisplayServerLogs bool
+	DisplayServerLogs       bool
+	IgnoreTLSHandshakeError bool
+}
+
+var TLSHandshakeError = []byte("http: TLS handshake error")
+
+var _ io.Writer = &TLSErrorDebugger{}
+
+type TLSErrorDebugger struct{}
+
+func (t *TLSErrorDebugger) Write(p []byte) (n int, err error) {
+	p = bytes.TrimSpace(p)
+	if bytes.HasPrefix(p, TLSHandshakeError) {
+		logrus.Debug(string(p))
+	} else {
+		logrus.Error(string(p))
+	}
+	return len(p), err
 }

 func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.Handler, opts *ListenOpts) error {
@@ -52,9 +71,15 @@ func ListenAndServe(ctx context.Context, httpsPort, httpPort int, handler http.H
 	if opts.DisplayServerLogs {
 		writer = logger.WriterLevel(logrus.ErrorLevel)
 	}
-	// Otherwise preserve legacy behaviour of displaying server logs only in debug mode.

-	errorLog := log.New(writer, "", log.LstdFlags)
+	var errorLog *log.Logger
+	if opts.IgnoreTLSHandshakeError {
+		debugWriter := &TLSErrorDebugger{}
+		errorLog = log.New(debugWriter, "", 0)
+	} else {
+		// Otherwise preserve legacy behaviour of displaying server logs only in debug mode.
+		errorLog = log.New(writer, "", 0)
+	}

 	if opts.TLSListenerConfig.TLSConfig == nil {
 		opts.TLSListenerConfig.TLSConfig = &tls.Config{}
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -39,6 +39,47 @@ func (s *safeWriter) Write(p []byte) (n int, err error) {
 	return s.writer.Write(p)
 }

+func TestTLSHandshakeErrorWriter(t *testing.T) {
+	tests := []struct {
+		name                    string
+		ignoreTLSHandshakeError bool
+		message                 []byte
+		expectedLevel           logrus.Level
+	}{
+		{
+			name:          "TLS handshake error is logged as debug",
+			message:       []byte("http: TLS handshake error: EOF"),
+			expectedLevel: logrus.DebugLevel,
+		},
+		{
+			name:          "other errors are logged as error",
+			message:       []byte("some other server error"),
+			expectedLevel: logrus.ErrorLevel,
+		},
+	}
+	var baseLogLevel = logrus.GetLevel()
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert := assertPkg.New(t)
+
+			var buf bytes.Buffer
+			logrus.SetOutput(&buf)
+			logrus.SetLevel(logrus.DebugLevel)
+
+			debugger := &TLSErrorDebugger{}
+			n, err := debugger.Write(tt.message)
+
+			assert.Nil(err)
+			assert.Equal(len(tt.message), n)
+
+			logOutput := buf.String()
+			assert.Contains(logOutput, "level="+tt.expectedLevel.String())
+			assert.Contains(logOutput, string(tt.message))
+		})
+	}
+	logrus.SetLevel(baseLogLevel)
+}
+
 func TestHttpServerLogWithLogrus(t *testing.T) {
 	assert := assertPkg.New(t)
 	message := "debug-level writer"
@@ -84,7 +125,7 @@ func doRequest(safeWriter *safeWriter, message string, logLevel logrus.Level) er
 	msg := fmt.Sprintf("panicking context: %s", message)
 	handler := alwaysPanicHandler{msg: msg}
 	listenOpts := &ListenOpts{
-		BindHost: host,
+		BindHost:          host,
 		DisplayServerLogs: logLevel == logrus.ErrorLevel,
 	}

--- a/storage/memory/memory.go
+++ b/storage/memory/memory.go
@@ -2,6 +2,7 @@ package memory

 import (
 	"github.com/rancher/dynamiclistener"
+	"github.com/rancher/dynamiclistener/factory"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 )
@@ -32,7 +33,7 @@ func (m *memory) Get() (*v1.Secret, error) {
 }

 func (m *memory) Update(secret *v1.Secret) error {
-	if m.secret == nil || m.secret.ResourceVersion == "" || m.secret.ResourceVersion != secret.ResourceVersion {
+	if isChanged(m.secret, secret) {
 		if m.storage != nil {
 			if err := m.storage.Update(secret); err != nil {
 				return err
@@ -44,3 +45,19 @@ func (m *memory) Update(secret *v1.Secret) error {
 	}
 	return nil
 }
+
+func isChanged(old, new *v1.Secret) bool {
+	if old == nil {
+		return true
+	}
+	if old.ResourceVersion == "" {
+		return true
+	}
+	if old.ResourceVersion != new.ResourceVersion {
+		return true
+	}
+	if old.Annotations[factory.Fingerprint] != new.Annotations[factory.Fingerprint] {
+		return true
+	}
+	return false
+}
Author	SHA1	Message	Date
Mary	0e2161b34b	backport issue 48484 (#203 )	2025-09-12 10:11:23 -03:00
Brad Davidson	2ee4a16846	Check certificate fingerprint when deciding if memory store needs to be updated (#180 ) When using a chained store of Kubernetes -> Memory -> File, a file-backed cert with a valid ResourceVersion could not be updated when the Kubernetes store was offline, as the Memory store was skipping the update if the ResourceVersion was not changed. The Kubernetes store passes through the secret update without a modified ResourceVersion if the Secret controller is not yet available to round-trip the secret through the apiserver, as the apiserver is what handles updating the ResourceVersion when the Secret changes. In RKE2, this caused a deadlock on startup when the certificate is expired, as the apiserver cannot be started until the cert is updated, but the cert cannot be updated until the apiserver is up. Fix this by also considering the certificate hash annotation when deciding if the update can be skipped. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `242c2af2db`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2025-06-11 18:41:32 +00:00
renovate-rancher[bot]	12ccb5f265	Update actions/setup-go action to v5.4.0 (main) (#168 ) * Update actions/setup-go action to v5.4.0 * No point putting exact versions in the comments before an action. The comment isn't updated by renovatebot, and the bot puts the version next to the item being referenced. --------- Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com> Co-authored-by: Eric Promislow <epromislow@suse.com>	2025-04-23 17:21:19 -07:00
Sakala Venkata Krishna Rohit	737b624f6b	Update VERSION.md to include wrangler version (#159 )	2025-04-23 17:11:44 -07:00
Sakala Venkata Krishna Rohit	246fdcf607	Update renovate.json to ignore packages (#164 )	2025-02-23 10:59:36 -08:00
renovate-rancher[bot]	1be223c6b0	Update actions/checkout action to v4.2.2 (#132 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 12:02:04 -08:00
renovate-rancher[bot]	389ebca7c5	Update actions/setup-go action to v5.3.0 (#133 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 12:01:45 -08:00
renovate-rancher[bot]	3f4c7c1f3a	Add initial Renovate configuration (#157 ) Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>	2025-02-19 12:01:31 -08:00