Skip to content

Commit

Permalink
only preload local cluster cas (#48483)
Browse files Browse the repository at this point in the history
  • Loading branch information
fspmarshall authored Nov 6, 2024
1 parent 29f877e commit d809f95
Showing 1 changed file with 12 additions and 6 deletions.
18 changes: 12 additions & 6 deletions lib/auth/client_tls_config_generator.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,10 +211,10 @@ func (c *ClientTLSConfigGenerator) refreshClientTLSConfigs(ctx context.Context)
}
}

// watchForCAChanges sets up a cert authority watcher and triggers regeneration of client
// tls configs for a given cluster whenever a CA associated with that cluster is modified.
// note that this function errs on the side of regenerating more often than might be
// strictly necessary.
// watchForCAChanges sets up a cert authority watcher to ensure that we don't serve outdated
// tls configs. for the local cluster it aggressively triggers regeneration. for other clusters
// it invalidates extant state, allowing lazy generation on first need. this function errs on the
// side of caution and triggers regen/invalidation more often than might be strictly necessary.
func (c *ClientTLSConfigGenerator) watchForCAChanges(ctx context.Context) error {
watcher, err := c.cfg.AccessPoint.NewWatcher(ctx, types.Watch{
Name: "client-tls-config-generator",
Expand Down Expand Up @@ -254,8 +254,14 @@ func (c *ClientTLSConfigGenerator) watchForCAChanges(ctx context.Context) error
// ignore non-local cluster CA events when we aren't configured to support them
continue
}
// trigger regen of client tls configs for the associated cluster.
c.clientTLSConfigs.Generate(event.Resource.GetName())

if event.Resource.GetName() == c.cfg.ClusterName {
// actively regenerate on modifications associated with the local cluster
c.clientTLSConfigs.Generate(event.Resource.GetName())
} else {
// clear extant state on modifications associated with non-local clusters
c.clientTLSConfigs.Terminate(event.Resource.GetName())
}
}
case <-ctx.Done():
return nil
Expand Down

0 comments on commit d809f95

Please sign in to comment.