rancher/dynamiclistener
1
0
Fork 0
forked from github/dynamiclistener
Code Issues Pull Requests Projects Releases Wiki Activity
104 Commits 4 Branches 17 Tags
d2b7e2aaa6981f373acd4b2110a0c3105d84b7a7
Commit Graph

28 Commits

Author SHA1 Message Date
Brad Davidson
d2b7e2aaa6 We support IPv6 now, don't skip adding IPv6 address SANs 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
4df376813d Improve log messages and warn if no cert is available 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-20 12:21:30 -07:00
Brad Davidson
b1d65efb6f Move Kubernetes Secrets storage update to goroutine 
Fixes issue where apiserver outages can block dynamiclistener from accepting new connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2022-05-02 18:48:48 -07:00
Brad Davidson
284cc004e8 Fix listenAndServe certificate expiration by preloading certs 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-11-23 23:38:49 -08:00
Brian Downs
27f4642299 Add ability to force cert regeneration (#43) 
* add ability to force cert regeneration
 2021-11-15 13:50:26 -07:00
Colleen Murphy
fb66484384 Fix net.Conn type assertion 
Don't assert that all connections are wrapped, as they won't be if
the CloseConnOnCertChange setting is false. Only run the assertion
within a conditional for wrapped connections, where it is safe. This
prevents a panic from happening when CloseConnOnCertChange is not used.
 2021-10-29 11:03:02 -07:00
Colleen Murphy
c7dd355394 Skip closing an initializing connection 
Without this change, if a cert is updated (e.g. to add CNs) while the
listener is in the middle of Accept()ing a new connection, the
connection gets dropped, we'll see a message like this in the server
logs:

  http: TLS handshake error from 127.0.0.1:51232: write tcp 127.0.7.1:8443->127.0.0.1:51232: use of closed network connection

and the client (like a browser) won't necessarily reconnect. This change
modifies the GetCertificate routine in the listener's tls.Config to
keep track of the state of the incoming connections and only close
connections that have completed GetCertificate and therefore are
finished with their TLS handshake, so that only old established
connections are closed.
 2021-10-25 13:17:24 -07:00
Darren Shepherd
9865ae859c Don't reset connections on the first load of the certs 2021-06-16 01:00:09 -07:00
Darren Shepherd
db883ae66a Don't reset connections on the first load of the certs 2021-06-16 00:23:14 -07:00
galal-hussein
3878ff2a1f Fixing loading certs 2021-03-05 22:39:13 +02:00
Brad Davidson
53f6b38760 Allow forcing cert reissuance (#28) 
Refreshing the cert should force renewal as opposed to returning
early if the SANs aren't changing. This is currently breaking refresh
of expired certs as per:
https://github.com/rancher/k3s/issues/1621#issuecomment-669464318

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-08-10 17:12:39 -07:00
Darren Shepherd
5c222d5753 Don't parse x509 cert on each request 2020-04-17 19:31:42 -07:00
Darren Shepherd
74a61a850d Always allow configured SANs regardless of the FilterCN 2020-04-17 19:31:31 -07:00
Darren Shepherd
4bac3f291f Add ability to confirm adding new CNs 2020-04-02 22:08:36 -07:00
Darren Shepherd
c992ce309c Reject bad CNs that will prevent the secret from being saved. 2020-04-02 22:07:45 -07:00
Darren Shepherd
171fcf6b79 If connection closing is enabled then don't support HTTP/2 2020-03-18 23:16:38 -07:00
Darren Shepherd
05d7922a86 Add ability to limit the maximum number of SANs 2020-03-18 23:16:38 -07:00
Darren Shepherd
7e3fc0c594 For web browser based requests do not consider IPs in host headers 2020-03-14 10:16:11 -07:00
Darren Shepherd
bd73d0d4bc Wrong lock used to protect conn map 2020-02-13 09:52:45 -07:00
Darren Shepherd
8545ce98db Add option to close connections on cert change 2020-02-12 14:00:40 -07:00
Darren Shepherd
bc68bf5499 Fix merging of the k8s secret to reduce the number of writes 2020-02-04 12:48:38 -07:00
Darren Shepherd
4e8035fa46 Fix go fmt/vet issues 2020-01-30 22:41:19 -07:00
Darren Shepherd
a75e84bc81 Add more helpers 2020-01-30 22:41:19 -07:00
Darren Shepherd
f1484a07b3 Add static storage and listener opts 2019-12-04 11:32:00 -07:00
Darren Shepherd
655c08132d Don't generate cert for ipv6 address 2019-11-13 14:46:32 +00:00
Darren Shepherd
02b97e01f1 Attempt to minimize additional cert gens 2019-11-13 14:46:32 +00:00
Darren Shepherd
36c5023d47 Wrong address used 
Fixes three issues
1. Use localaddr, not remoteadd for CN
2. Don't return error from net.Listener.Accept
3. Try three times to save secret
 2019-11-09 06:09:10 +00:00
Darren Shepherd
af04867843 Refactor to not include a server by default 2019-10-30 19:14:34 -07:00