Check certificate fingerprint when deciding if memory store needs to be updated (#180 )

When using a chained store of Kubernetes -> Memory -> File, a file-backed cert with a valid ResourceVersion could not be updated when the Kubernetes store was offline, as the Memory store was skipping the update if the ResourceVersion was not changed. The Kubernetes store passes through the secret update without a modified ResourceVersion if the Secret controller is not yet available to round-trip the secret through the apiserver, as the apiserver is what handles updating the ResourceVersion when the Secret changes. In RKE2, this caused a deadlock on startup when the certificate is expired, as the apiserver cannot be started until the cert is updated, but the cert cannot be updated until the apiserver is up. Fix this by also considering the certificate hash annotation when deciding if the update can be skipped. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit 242c2af2db) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Update actions/setup-go action to v5.4.0 (main) (#168 )
2025-09-03 14:14:47 +00:00 · 2025-06-11 18:41:32 +00:00 · 2025-04-23 17:21:19 -07:00 · 2025-04-23 17:11:44 -07:00
4 changed files with 30 additions and 13 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -10,11 +10,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
-      # https://github.com/actions/checkout/releases/tag/v4.1.1
+      # https://github.com/actions/checkout/releases/tag/VERSION
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    - name: Install Go
-      # https://github.com/actions/setup-go/releases/tag/v5.0.0
-      uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
+      # https://github.com/actions/setup-go/releases/tag/VERSION
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
      with:
        go-version-file: 'go.mod'
-    - run: go test -race -cover ./...
+    - run: go test -v -race -cover ./...
--- a/VERSION.md
+++ b/VERSION.md
@@ -2,9 +2,9 @@ DynamicListener follows a pre-release (v0.x) strategy of semver. There is limite

 The current supported release lines are:

-| DynamicListener Branch | DynamicListener Minor version | Kubernetes Version Range |
-|--------------------------|------------------------------------|------------------------------------------------|
-| main | v0.6 | v1.27+ |
-| release/v0.5 | v0.5 | v1.26 - v1.30 |
-| release/v0.4 | v0.4 | v1.25 - v1.28 |
-| release/v0.3 | v0.3 | v1.23 - v1.27 |
+| DynamicListener Branch | DynamicListener Minor version | Kubernetes Version Range | Wrangler Version |
+|--------------------------|------------------------------------|------------------------------------------------|------------------------------------------------|
+| main | v0.6 | v1.27+ | v3 |
+| release/v0.5 | v0.5 | v1.26 - v1.30 | v3 |
+| release/v0.4 | v0.4 | v1.25 - v1.28 | v2 |
+| release/v0.3 | v0.3 | v1.23 - v1.27 | v2 |
--- a/factory/gen.go
+++ b/factory/gen.go
@@ -25,7 +25,7 @@ import (
 const (
 	cnPrefix    = "listener.cattle.io/cn-"
 	Static      = "listener.cattle.io/static"
-	fingerprint = "listener.cattle.io/fingerprint"
+	Fingerprint = "listener.cattle.io/fingerprint"
 )

 var (
@@ -189,7 +189,7 @@ func (t *TLS) generateCert(secret *v1.Secret, cn ...string) (*v1.Secret, bool, e
 	secret.Type = v1.SecretTypeTLS
 	secret.Data[v1.TLSCertKey] = certBytes
 	secret.Data[v1.TLSPrivateKeyKey] = keyBytes
-	secret.Annotations[fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))
+	secret.Annotations[Fingerprint] = fmt.Sprintf("SHA1=%X", sha1.Sum(newCert.Raw))

 	return secret, true, nil
 }
--- a/storage/memory/memory.go
+++ b/storage/memory/memory.go
@@ -2,6 +2,7 @@ package memory

 import (
 	"github.com/rancher/dynamiclistener"
+	"github.com/rancher/dynamiclistener/factory"
 	"github.com/sirupsen/logrus"
 	v1 "k8s.io/api/core/v1"
 )
@@ -32,7 +33,7 @@ func (m *memory) Get() (*v1.Secret, error) {
 }

 func (m *memory) Update(secret *v1.Secret) error {
-	if m.secret == nil || m.secret.ResourceVersion == "" || m.secret.ResourceVersion != secret.ResourceVersion {
+	if isChanged(m.secret, secret) {
 		if m.storage != nil {
 			if err := m.storage.Update(secret); err != nil {
 				return err
@@ -44,3 +45,19 @@ func (m *memory) Update(secret *v1.Secret) error {
 	}
 	return nil
 }
+
+func isChanged(old, new *v1.Secret) bool {
+	if old == nil {
+		return true
+	}
+	if old.ResourceVersion == "" {
+		return true
+	}
+	if old.ResourceVersion != new.ResourceVersion {
+		return true
+	}
+	if old.Annotations[factory.Fingerprint] != new.Annotations[factory.Fingerprint] {
+		return true
+	}
+	return false
+}