fix(session tickets): improve smoothness of key rotation

tsuru · Jun 15, 2020 · 8117969 · 8117969
1 parent 3c099c8
commit 8117969
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 0 deletions.
diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -96,3 +96,10 @@ rules:
   verbs:
   - get
   - patch
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - patch
diff --git a/internal/pkg/rpaas/nginx/configuration_render.go b/internal/pkg/rpaas/nginx/configuration_render.go
@@ -339,6 +339,7 @@ http {
         local rpaasv2_session_ticket_reloader = require('tsuru.rpaasv2.tls.session_ticket_reloader'):new({
             ticket_file      = '/etc/nginx/tickets/ticket.0.key',
             retain_last_keys = {{ tlsSessionTicketKeys $instance }},
+            sync_interval    = 1,
         })
         rpaasv2_session_ticket_reloader:start_worker()
         {{- end }}

diff --git a/internal/pkg/rpaas/nginx/configuration_render_test.go b/internal/pkg/rpaas/nginx/configuration_render_test.go
@@ -472,6 +472,7 @@ func TestRpaasConfigurationRenderer_Render(t *testing.T) {
 \s+local rpaasv2_session_ticket_reloader = require\('tsuru.rpaasv2.tls.session_ticket_reloader'\):new\(\{
 \s+ticket_file      = '/etc/nginx/tickets/ticket.0.key',
 \s+retain_last_keys = 1,
+\s+sync_interval    = 1,
 \s+\}\)
 \s+rpaasv2_session_ticket_reloader:start_worker\(\)
 \s+\}`, result)
@@ -506,6 +507,7 @@ func TestRpaasConfigurationRenderer_Render(t *testing.T) {
 \s+local rpaasv2_session_ticket_reloader = require\('tsuru.rpaasv2.tls.session_ticket_reloader'\):new\(\{
 \s+ticket_file      = '/etc/nginx/tickets/ticket.0.key',
 \s+retain_last_keys = 6,
+\s+sync_interval    = 1,
 \s+\}\)
 \s+rpaasv2_session_ticket_reloader:start_worker\(\)
 \s+\}`, result)

diff --git a/pkg/controller/rpaasinstance/rpaasinstance_controller.go b/pkg/controller/rpaasinstance/rpaasinstance_controller.go
@@ -18,6 +18,7 @@ import (
 	"github.com/imdario/mergo"
 	"github.com/sirupsen/logrus"
 	nginxv1alpha1 "github.com/tsuru/nginx-operator/pkg/apis/nginx/v1alpha1"
+	nginxk8s "github.com/tsuru/nginx-operator/pkg/k8s"
 	"github.com/tsuru/rpaas-operator/config"
 	"github.com/tsuru/rpaas-operator/internal/pkg/rpaas/nginx"
 	"github.com/tsuru/rpaas-operator/pkg/apis/extensions/v1alpha1"
@@ -31,6 +32,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	k8sErrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8slabels "k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -151,10 +153,22 @@ function rotate_session_tickets() {
     --patch="$(json_merge_patch_payload ${key})"
 }
 
+function update_nginx_pods() {
+  local selector=${1}
+
+  ${KUBECTL} annotate pods --overwrite --namespace ${SECRET_NAMESPACE} --selector ${selector} \
+    rpaas.extensions.tsuru.io/last-session-ticket-key-rotation="$(date +'%Y-%m-%dT%H:%M:%SZ')"
+}
+
 function main() {
   echo "Starting rotation of TLS session tickets within Secret (${SECRET_NAMESPACE}/${SECRET_NAME})..."
   rotate_session_tickets $(generate_key)
   echo "TLS session tickets successfully updated."
+
+  if [[ -n ${NGINX_LABEL_SELECTOR} ]]; then
+    echo "Updating Nginx pods with selector (${NGINX_LABEL_SELECTOR})..."
+    update_nginx_pods ${NGINX_LABEL_SELECTOR}
+  fi
 }
 
 main $@
@@ -592,6 +606,10 @@ func newCronJobForSessionTickets(instance *v1alpha1.RpaasInstance) *batchv1beta1
 											Name:  "SESSION_TICKET_KEYS",
 											Value: fmt.Sprint(tlsSessionTicketKeys(instance)),
 										},
+										{
+											Name:  "NGINX_LABEL_SELECTOR",
+											Value: k8slabels.FormatLabels(nginxk8s.LabelsForNginx(instance.Name)),
+										},
 									},
 									VolumeMounts: []corev1.VolumeMount{
 										{

diff --git a/pkg/controller/rpaasinstance/rpaasinstance_controller_test.go b/pkg/controller/rpaasinstance/rpaasinstance_controller_test.go
@@ -1684,6 +1684,10 @@ func TestReconcileRpaasInstance_reconcileTLSSessionResumption(t *testing.T) {
 										Name:  "SESSION_TICKET_KEYS",
 										Value: "1",
 									},
+									{
+										Name:  "NGINX_LABEL_SELECTOR",
+										Value: "nginx.tsuru.io/app=nginx,nginx.tsuru.io/resource-name=my-instance",
+									},
 								},
 								VolumeMounts: []corev1.VolumeMount{
 									{
@@ -1762,6 +1766,7 @@ func TestReconcileRpaasInstance_reconcileTLSSessionResumption(t *testing.T) {
 				assert.Equal(t, "my.custom.image:tag", gotCronJob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Image)
 				assert.Contains(t, gotCronJob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "SESSION_TICKET_KEY_LENGTH", Value: "80"})
 				assert.Contains(t, gotCronJob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "SESSION_TICKET_KEYS", Value: "4"})
+				assert.Contains(t, gotCronJob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{Name: "NGINX_LABEL_SELECTOR", Value: "nginx.tsuru.io/app=nginx,nginx.tsuru.io/resource-name=my-instance"})
 			},
 		},
 		{
-Original file line number
+Diff line change
@@ Expand Up / @@ -96,3 +96,10 @@ rules: @@
       verbs:
       - get
       - patch
+    - apiGroups: [""]
+      resources:
+      - pods
+      verbs:
+      - get
+      - list
+      - patch