🌱 Add support for CA/certificate rotation

[tmshort]

Fixes #915
Mounted secrets are automatically updated into pods, but...

• It doesn't work with subPath mountings
• When subPath is not used, then a bunch of directories are mounted
• And one of those directories is a symlink, so IsDir() returns false
• And a watch is needed to notice the change

So, update the certificate volume patch, which requires a change in how we look for certificates in the CA cert directory.

Add a watch, so when the certs do change, we update the cert pool.
Also look at validity dates of certificates, and error on expired certs.

The default cert-manager certificates have 90 days validities.

Description

Reviewer Checklist

• API Go Documentation
• Tests: Unit Tests (and E2E Tests, if appropriate)
• Comprehensive Commit Messages
• Links to related GitHub Issue(s)

[netlify]

✅ Deploy Preview for olmv1 ready!

Name	Link
🔨 Latest commit	5eea072
🔍 Latest deploy log	https://app.netlify.com/sites/olmv1/deploys/669ac31547b423000860d4e7
😎 Deploy Preview	https://deploy-preview-1062--olmv1.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[tmshort]

This also adds a unit-test for an empty cert dir, and for an expired certificate. And also adds an e2e to make sure secret updates and rotations actually work.

[codecov]

Codecov Report

Attention: Patch coverage is 71.28713% with 29 lines in your changes missing coverage. Please review.

Project coverage is 72.67%. Comparing base (775613f) to head (5eea072).
Report is 2 commits behind head on main.

Files	Patch %	Lines
internal/httputil/certpoolwatcher.go	68.96%	11 Missing and 7 partials ⚠️
internal/httputil/certutil.go	78.26%	2 Missing and 3 partials ⚠️
internal/catalogmetadata/cache/cache.go	66.66%	1 Missing and 1 partial ⚠️
internal/httputil/httputil.go	60.00%	1 Missing and 1 partial ⚠️
internal/rukpak/source/image_registry.go	60.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1062      +/-   ##
==========================================
- Coverage   72.85%   72.67%   -0.19%     
==========================================
  Files          31       32       +1     
  Lines        1864     1965     +101     
==========================================
+ Hits         1358     1428      +70     
- Misses        371      388      +17     
- Partials      135      149      +14     

Flag	Coverage Δ
e2e	55.65% <46.53%> (+0.13%)	⬆️
unit	45.54% <61.38%> (+0.53%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[m1kola]

I'm still reviewing.

For these interested, here are some relevant issues in Go and K8s on root CA reloading:

• Go lang proposal for root CA reloading
• K8s client-go issue for root CA reloading

TLDR: it looks like there is no equivalent of GetClientCertificate/GetCertificate, but for root CAs in TLS config in standard library, but it is possible to implement a workaround with VerifyPeerCertificate. This would require setting InsecureSkipVerify to true and re-implementing the standard verification in VerifyPeerCertificate as far as I understand - see this example from Go docs.

[tmshort]

TLDR: it looks like there is no equivalent of GetClientCertificate/GetCertificate, but for root CAs in TLS config in standard library, but it is possible to implement a workaround with VerifyPeerCertificate. This would require setting InsecureSkipVerify to true and re-implementing the standard verification in VerifyPeerCertificate as far as I understand - see this example from Go docs.

And we really don't want to do that (set InsecureSkipVerify) by default. And reimplementing the verification code is probably not worth it, when we can just offer up the updated certificate pool on demand.

[m1kola]

And we really don't want to do that (set InsecureSkipVerify) by default. And reimplementing the verification code is probably not worth it, when we can just offer up the updated certificate pool on demand.

Setting InsecureSkipVerify to true and VerifyPeerCertificate means that we take over the responsibility of verifying the certs from standard library. That's not great, but it is not a lot of code (see standard library code, and client example from the docs). It doesn't sounds too terrible to me, so I'm open to consider this.

As far as I understand in this implementation we are re-creating a client each time and will have to establish a connection each we use it which is not optimal.

I don't know how significantly it will affect our performance. One one hand - creating new connections every time is not great, but on the other hand - not sure if we are going to benefit from re-using the connection in these use cases.

[everettraven]

Do you know if any events include only the directory being watched as the event.Name value? If so, I wonder if instead of performing this drainEvents action we could do some event filtering similar to https://github.com/fsnotify/fsnotify/blob/c1467c02fba575afdb5f4201072ab8403bbf00f4/cmd/fsnotify/file.go#L66-L78

I won't block the PR merging on this, but something that could make it so we don't have any "sleep" actions if it is possible

[tmshort]

Some filtering might be useful. The only time this path should be updated is when a Secret is updated. The directory is read-only within the pod.

[tmshort]

Note: the filter will not work if new files are added, as they will be filtered out. We need to recognize new files, deleted files, updated files, etc.

[everettraven]

We need to recognize new files, deleted files, updated files, etc.

If we only react to "directory has been updated" type events wouldn't we catch these events as well?

[tmshort]

But it wouldn't catch updates to files within, as that's a change to the file, not the directory.

[everettraven]

I thought the reasoning for the drain events operation was because when we receive updates we get mass events on everything when something changed. Maybe I misunderstood, which led me to thinking that if any change happened in the directory (including an individual file), it would trigger an event for the directory as well.

[tmshort]

The Watch is on the directory, and that includes the contents. It also depends on how things are mounted. A change to a file within a directory does not necessarily indicate a change to the directory.
The drain is there because the update of a single secret may trigger a number of events (I was seeing 4+, because of how the mounted files were presented), and only one reload of the certs is necessary.
Based on my testing, if there's an update on a file, it only reports the update on that file (i.e. create/update); it doesn't trigger a second update on the directory as well.

[tmshort]

I added debug output to the cert watcher test for every event in the unit test:

=== RUN   TestCertPoolWatcher
    certpoolwatcher_test.go:72: Create cert file at "/tmp/cert-pool4285276756/test1.pem"
    certpoolwatcher_test.go:87: Create cert file at "/tmp/cert-pool4285276756/test2.pem"
Event: CREATE        "/tmp/cert-pool4285276756/test2.pem"
Event: WRITE         "/tmp/cert-pool4285276756/test2.pem"
--- PASS: TestCertPoolWatcher (1.11s)

So, there's an event for the create of the new PEM, and one for the write, but nothing on the directory itself. There are two events, and that would cause two reloads without the drain mechanism in place.