rancher/dynamiclistener
1
0
Fork 0
forked from github/dynamiclistener
Code Issues Pull Requests Projects Releases Wiki Activity
111 Commits 4 Branches 17 Tags 210 KiB
master
Commit Graph

111 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Caleb Bron
401fafb7e6
Merge pull request #64 from w13915984028/fix63 
fix63 use sleep instead of force scheduling
 2022-07-28 13:43:07 -07:00
Jian Wang
bad953b9f0 fix63 use sleep instead of force scheduling 2022-07-27 08:59:22 +02:00
Brad Davidson
8ebd77f8a4 Raise default ExpirationDaysCheck to 90 and extend into cert factory 
Most of our products actually renew at 90 days, so make that the default.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-07-21 14:08:16 -07:00
Brad Davidson
fdf983a935 Don't merge expired certs over the top of an unexpired cert 
Fixes an issue where an expired Kubernetes secret would replace the renewed locally-cached cert after cluster startup.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-07-21 14:08:16 -07:00
Flavio Grossi
7b5997cee9 always use CATTLE_NEW_SIGNED_CERT_EXPIRATION_DAYS when generating a certificate 2022-07-20 12:07:31 -07:00
Lucas Ramage
42d72c2ef2
Merge pull request #56 from rancher/fossa 
Implement drone-plugin-fossa
 2022-07-01 10:58:54 -04:00
Brad Davidson
d2b7e2aaa6 We support IPv6 now, don't skip adding IPv6 address SANs 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
a30741bb53 Send complete certificate chain, not just the leaf cert 
Also, print a warning when signing may change the issuer.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
4df376813d Improve log messages and warn if no cert is available 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
9b92d13bcb Fix initial secret not being written to Kubernetes 
Updates to the secret that occurred before the controller was done
syncing were not being written to Kubernetes. Subsequent updates to the
secret would eventually get it written, but Rancher requires that the
cert be written immediately. This was probably an unnecessary
optimization anyway, so back it out in favor of just checking to see if
the secrets controller is available.

Also fixed improper handling of multiple goroutines attempting to create
the Kubernetes secret at the same time; this was also handled eventually
but caused an unnecessary round of extra writes to the secret.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
b1d65efb6f Move Kubernetes Secrets storage update to goroutine 
Fixes issue where apiserver outages can block dynamiclistener from accepting new connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-02 18:48:48 -07:00
Lucas Ramage
5e81b14c1f Implement drone-plugin-fossa 2022-03-31 16:28:22 -04:00
Brian Downs
148d38076d
update config to allow for specifying experiation in days (#53) 2021-12-21 15:38:04 -07:00
Brad Davidson
43f9c3ae0a Fix handling of IPv6 addresses and long hostnames 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Brad Davidson
284cc004e8 Fix listenAndServe certificate expiration by preloading certs 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Kinara Shah
120a37b97a
Merge pull request #51 from nickgerace/quick-fix 
Add README
 2021-11-19 14:29:09 -08:00
Nick Gerace
bbac29e0fa Add README 2021-11-19 13:50:48 -05:00
Kinara Shah
962b635269
Merge pull request #50 from nickgerace/quick-fix 
Fix defaultNewSignedCertExpirationDays const
 2021-11-19 10:28:49 -08:00
Nick Gerace
f147aa4166 Fix defaultNewSignedCertExpirationDays const 
This a quick fix for 2644a6ed16
 2021-11-19 12:31:47 -05:00
Kinara Shah
63157c59ce
Merge pull request #46 from nickgerace/days 
Allow for default expiration days to be loaded from env
 2021-11-19 08:59:57 -08:00
Nick Gerace
2644a6ed16 Allow for default expiration days to be loaded from env 2021-11-18 12:38:35 -05:00
Brian Downs
27f4642299
Add ability to force cert regeneration (#43) 
* add ability to force cert regeneration
 2021-11-15 13:50:26 -07:00
Caleb Bron
cd5d71f2fe
Merge pull request #44 from cmurphy/fix-type 
Fix net.Conn type assertion
 2021-11-04 13:09:48 -07:00
Colleen Murphy
fb66484384 Fix net.Conn type assertion 
Don't assert that all connections are wrapped, as they won't be if
the CloseConnOnCertChange setting is false. Only run the assertion
within a conditional for wrapped connections, where it is safe. This
prevents a panic from happening when CloseConnOnCertChange is not used.
 2021-10-29 11:03:02 -07:00
Darren Shepherd
6b37dc1212
Merge pull request #42 from cmurphy/fix-close-conn 
Skip closing an initializing connection
 2021-10-27 08:35:21 -07:00
Colleen Murphy
c7dd355394 Skip closing an initializing connection 
Without this change, if a cert is updated (e.g. to add CNs) while the
listener is in the middle of Accept()ing a new connection, the
connection gets dropped, we'll see a message like this in the server
logs:

  http: TLS handshake error from 127.0.0.1:51232: write tcp 127.0.7.1:8443->127.0.0.1:51232: use of closed network connection

and the client (like a browser) won't necessarily reconnect. This change
modifies the GetCertificate routine in the listener's tls.Config to
keep track of the state of the incoming connections and only close
connections that have completed GetCertificate and therefore are
finished with their TLS handshake, so that only old established
connections are closed.
 2021-10-25 13:17:24 -07:00
Darren Shepherd
94e22490cf
Merge pull request #41 from weihanglo/nil-defer-storage-tls 
Merge TLS only if TLS factory is set
 2021-08-03 10:23:59 -07:00
Weihang Lo
b45d8a455e
Merge TLS only if TLS factory is set 
Since `storage.tls` is optional, we should check it existence before
calling its methods.
 2021-07-12 18:25:01 +08:00
Darren Shepherd
9865ae859c Don't reset connections on the first load of the certs 2021-06-16 01:00:09 -07:00
Darren Shepherd
db883ae66a Don't reset connections on the first load of the certs 2021-06-16 00:23:14 -07:00
Darren Shepherd
9dfd7df057 Pass context to http server as BaseContext 2021-06-15 22:42:42 -07:00
Darren Shepherd
ff22834bde Avoid panic when secret is nil 2021-06-15 22:42:42 -07:00
Sjoerd Simons
dc7452dbb8 Accept IPv6 address as CN names 
Expand the cnRegexp to also accept ipv6 addresses such as:
  * ::1
  * 2a00:1450:400e:80e::
  * 2a00:1450:400e:80e::200e

Fixes: #37

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
 2021-06-14 11:07:13 -07:00
Dan Ramich
86af265dcd
Merge pull request #35 from dramich/panic 
Update IsStatic to check for nil annotations
 2021-04-26 09:21:45 -06:00
Dan Ramich
f373fc1c7c Update IsStatic to check for nil annotations 2021-04-23 14:56:14 -06:00
Darren Shepherd
e7b1adba70 Update to wrangler v0.8.0 and merge v0.2.x to master 2021-04-12 15:09:30 -07:00
Darren Shepherd
a60200ab9e Merge tag 'v0.2.3' 2021-04-12 15:00:05 -07:00
Hussein Galal
fc8cf5f3ea
Merge pull request #33 from galal-hussein/fix_load_certs 
Fixing loading certs to work with etcd only nodes
 2021-03-05 22:54:49 +02:00
galal-hussein
3878ff2a1f Fixing loading certs 2021-03-05 22:39:13 +02:00
Hussein Galal
1b2460c151
Merge pull request #32 from galal-hussein/fix_resversion 
Add check to update dynamic listener cert in etcd only nodes
 2021-03-01 21:58:18 +02:00
galal-hussein
e34610a1ae Add check to update dynamic listener cert in etcd only nodes 2021-03-01 21:52:45 +02:00
Darren Shepherd
9b1b7d3132 Add filter helper method 2020-11-09 21:52:17 -07:00
Darren Shepherd
85f32491cb Add dumb hook to set the organization in the client cert 2020-09-10 13:32:14 -07:00
Brad Davidson
7c224dcdfb
Merge pull request #29 from brandond/force_reissue_0.2 
Allow forcing cert reissuance (v0.2 backport)
 2020-08-11 12:58:42 -07:00
Brad Davidson
53f6b38760 Allow forcing cert reissuance (#28) 
Refreshing the cert should force renewal as opposed to returning
early if the SANs aren't changing. This is currently breaking refresh
of expired certs as per:
https://github.com/rancher/k3s/issues/1621#issuecomment-669464318

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-08-10 17:12:39 -07:00
Darren Shepherd
479ab335d6 Add LoadOrGenClient to handle client cert generation 2020-08-10 17:12:39 -07:00
Darren Shepherd
2bfb7bd0cb Fix error masking issue 
Also don't do an extra lookup of TLS secret after update.
 2020-08-10 17:12:39 -07:00
Darren Shepherd
ebebb82b9b Add LoadOrGenClient to handle client cert generation 2020-08-01 23:37:51 -07:00
Darren Shepherd
bafb051656
Merge pull request #27 from ibuildthecloud/master 
Fix error masking issue
 2020-07-27 22:48:58 -07:00
Darren Shepherd
3b42c52bec Fix error masking issue 
Also don't do an extra lookup of TLS secret after update.
 2020-07-27 22:48:13 -07:00