From 334ca4965b6b813ef56aef3c49295915c0b97e05 Mon Sep 17 00:00:00 2001 From: Forrest Marshall Date: Tue, 5 Nov 2024 14:07:38 -0800 Subject: [PATCH] only preload local cluster cas --- lib/auth/client_tls_config_generator.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/lib/auth/client_tls_config_generator.go b/lib/auth/client_tls_config_generator.go index 61cd6c4707eac..082abcca7656b 100644 --- a/lib/auth/client_tls_config_generator.go +++ b/lib/auth/client_tls_config_generator.go @@ -204,10 +204,10 @@ func (c *ClientTLSConfigGenerator) refreshClientTLSConfigs(ctx context.Context) } } -// watchForCAChanges sets up a cert authority watcher and triggers regeneration of client -// tls configs for a given cluster whenever a CA associated with that cluster is modified. -// note that this function errs on the side of regenerating more often than might be -// strictly necessary. +// watchForCAChanges sets up a cert authority watcher to ensure that we don't serve outdated +// tls configs. for the local cluster it aggressively triggers regeneration. for other clusters +// it invalidates extant state, allowing lazy generation on first need. this function errs on the +// side of caution and triggers regen/invalidation more often than might be strictly necessary. func (c *ClientTLSConfigGenerator) watchForCAChanges(ctx context.Context) error { watcher, err := c.cfg.AccessPoint.NewWatcher(ctx, types.Watch{ Name: "client-tls-config-generator", @@ -247,8 +247,14 @@ func (c *ClientTLSConfigGenerator) watchForCAChanges(ctx context.Context) error // ignore non-local cluster CA events when we aren't configured to support them continue } - // trigger regen of client tls configs for the associated cluster. - c.clientTLSConfigs.Generate(event.Resource.GetName()) + + if event.Resource.GetName() == c.cfg.ClusterName { + // actively regenerate on modifications associated with the local cluster + c.clientTLSConfigs.Generate(event.Resource.GetName()) + } else { + // clear extant state on modifications associated with non-local clusters + c.clientTLSConfigs.Terminate(event.Resource.GetName()) + } } case <-ctx.Done(): return nil