-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix intermediate rotation test in ztunnel #50130
base: master
Are you sure you want to change the base?
Conversation
"ca-cert.pem", "ca-key.pem", | ||
"cert-chain.pem", "root-cert.pem"); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is broken since the test asserts we are using the same root (its testing intermediates). But I don't understand how we generated these (broken) certs to regenerate them correctly. There seems to be no code for this.
@zirain maybe you can help?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 16 in 1ee1a43
- `cert-chain.pem`: certificate trust chain. |
I don't know why @GregHanson didn't use ca-cert.pem
and ca-cert-alt.pem
in the beginning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, haven't been following this debug too closely. @zirain here is the discussion for why I had to generate new ones:
#48168 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@howardjohn cert should have been generated with the script security/samples/plugin_ca_certs/gen_certs.sh
or using the steps here
This should be the same script @hzxuzhonghu used when writing the root cert rotation test
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, ran this script and updated a bit to try to automate things but failing some tests still.
t.Errorf("failed to update CA secret: %v", err) | ||
} | ||
|
||
// perform one retry to handle race condition where ztunnel cert is refreshed before Istiod certificates are reloaded | ||
retry.UntilSuccess(func() error { | ||
retry.UntilSuccessOrFail(t, func() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this wasn't asserting, so they test always passed even though it was broken. Then it left things in a permanently broken state
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one line docs change LGTM
@@ -95,7 +95,7 @@ values: | |||
ztunnel: | |||
terminationGracePeriodSeconds: 5 | |||
env: | |||
SECRET_TTL: 5m | |||
SECRET_TTL: 1m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could this create unexpected behavior in the test assertions due to the recent cert refresh_at update?
380587e
to
c1e99e8
Compare
/lifecycle staleproof |
@howardjohn: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Fixes #49648.
Also speeds up the test, which currently takes ~3.5min typically. Now it should take at most 30s