Closed orenbm closed 4 years ago
@orenbm won't waiting to return 200 until the cert injection is complete cause the API request to hang?
Our current design is basically (as I understand it):
I think if we're seriously considering a better pattern than our current one we should consider something like what the Open Service Broker spec uses:
If we are going to revise the flow here, I think @cyberark/aam-architects should weigh in on the impact of having the API hang mid-request.
thanks @izgeri . Actually the suggested approach here is the current one, at least as seen in the code. Unless i misunderstand the code, we verify that the cert is injected before returning 200 OK. the issue is that we are not doing it properly. you can see the flow here. let me know if you understand it different that me. That's why i have treated this as a bug and not as a behaviour change.
However, i am open to re-thinking this approach and designing it better to not wait for a response but to write the errors to the log nevertheless (which is not happening today).
Summary
Currently, we close the WebSocket connection after we send the injection request to kubectl. This is not correct as this way we do not wait for kubectl to send its response.
This has 2 implications:
We need to verify that the cert is written to the client's container before returning a 200 OK response.
Steps to Reproduce
Steps to reproduce the behavior:
/etc/conjur/ssl
)inject_client_cert
although the cert was not copied.Expected Results
inject_client_cert
request fails if the cert injection fails (and logs are written in the server indicating the reason)inject_client_cert
request succeeds only after the cert is writtenActual Results (including error logs, if applicable)
inject_client_cert
request succeeds fast.Reproducible