config: reload cert files from disk automatically #173
Conversation
|
This would only apply on reload, it shouldn't require that to be in line with how the other auth files work. |
|
@brian-brazil Are you saying the other file references need to be handled as well, or in the same way? As far as I can tell the only other one in the http config is the |
|
The other ones are already handled this way. |
simonpasquier
changed the title
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
simonpasquier
force-pushed
the
fix-4155
branch
3 times, most recently
from
844be5f to
d8d76bd
Compare
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
|
@brian-brazil @brancz can you have a look again? FWIW I've tested it locally. |
This won't be used by client_golang, so that seems a safe assumption. FYI @beorn7 |
|
|
||
| if cfg.BasicAuth != nil { | ||
| rt = NewBasicAuthRoundTripper(cfg.BasicAuth.Username, cfg.BasicAuth.Password, cfg.BasicAuth.PasswordFile, rt) | ||
| if len(cfg.TLSConfig.CAFile) == 0 { |
There was a problem hiding this comment.
I'm not getting what you're trying to do here.
There was a problem hiding this comment.
If no CA file is provided, we don't need a round tripper that reloads the CA. So we return a "normal" round-tripper.
There was a problem hiding this comment.
What if the root changes?
There was a problem hiding this comment.
I meant the CA (as that's usually the root), but that would miss the client ssl auth changing.
There was a problem hiding this comment.
Client cert and key files are handled differently: we leverage tls.Config.GetClientCertificate so they are always read from disk.
https://github.com/prometheus/common/pull/173/files#diff-a2356a3b837239d300d6a0326a452aafR319
https://github.com/prometheus/common/pull/173/files#diff-a2356a3b837239d300d6a0326a452aafR345
And even if we did at some point in the future, I see little problems raising the min requirement for client_golang to 1.8. Those are ancient versions, and while I think we should support them as long as it doesn't cause any overhead, we should not commit to more than that. |
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
| @@ -195,6 +199,12 @@ func (rt *bearerAuthRoundTripper) RoundTrip(req *http.Request) (*http.Response, | |||
| return rt.rt.RoundTrip(req) | |||
| } | |||
|
|
|||
| func (rt *bearerAuthRoundTripper) CloseIdleConnections() { | |||
| if ci, ok := rt.rt.(closeIdler); ok { | |||
There was a problem hiding this comment.
This is cleaner in Go 1.12 as it exposes this directly, without having to reach into the transport
There was a problem hiding this comment.
You refer to client.CloseIdleConnections()? I don't know how we can avoid going through the nested round-trippers until we call http.Transport.CloseIdleConnections().
https://golang.org/src/net/http/client.go?s=27593:27632#L841
There was a problem hiding this comment.
Have we even switched over to go 1.12 everywhere? I feel like it might be a little early to use that. I think I'd prefer this approach at this point.
There was a problem hiding this comment.
Can we add a TODO at least to clean this up?
There was a problem hiding this comment.
I'm still not clear about what the TODO should be about... AFAICT consumers of the library using Go 1.12 will be able to do this and it will just work:
client, err := config.NewClient(...)
...
client.CloseIdleConnections()But again I don't see how we could avoid having CloseIdleConnections() for all the custom round-trippers if we want client.CloseIdleConnections() to be effective.
|
lgtm 👍 |
|
@simonpasquier this is so awesome. I will be able to drop my https://github.com/roidelapluie/sslproxy :) |
config/http_config.go
Outdated
| } | ||
|
|
||
| func (t *tlsRoundTripper) CloseIdleConnections() { | ||
| t.mtx.Lock() |
There was a problem hiding this comment.
Wouldn't this be a read lock?
Signed-off-by: Simon Pasquier <spasquie@redhat.com>
This change bumps github.com/prometheus/common to include prometheus/common#173 Signed-off-by: Simon Pasquier <spasquie@redhat.com>
* Reload certificates from disk automatically This change bumps github.com/prometheus/common to include prometheus/common#173 Signed-off-by: Simon Pasquier <spasquie@redhat.com> * scrape: close idle connections on reload/stop Signed-off-by: Simon Pasquier <spasquie@redhat.com> * use v0.3.0 tag Signed-off-by: Simon Pasquier <spasquie@redhat.com>
Trace Websockets requests
Fix for prometheus/prometheus#4155.
cc @brian-brazil @brancz