Open mosesn opened 5 years ago
cc @lizan
Thanks for the report, I believe this is bug, cc @JimmyCYJ @incfly @PiotrSikora
SdsApi compares protobuf content of the response from SDS, but ignore the resource version, so there is no way to trigger config update if the Secret
is exactly same.
+1 a bug.
So the tls_certificate
is specified via DataSource.filename
, the actual file blob has changed, but we don't bother to re-read. resource version
here should be used to indicate the updates and sds is supposed to follow other xds.
Thanks for the report. Originally SDS is running on top of gRPC subscription. I guess SDS is using filesystem subscription in this case. We need to add resource version into secret update.
@JimmyCYJ This happens regardless of gRPC subscription or not, when the DataSource has same filename, SDS won't re-read and no way to trigger it to read (which resource version should trigger)
When you refer to resource version
does that mean the version_info
in the DiscoveryResponse? Is the idea that I should increment it every time I want to provide an update?
@mosesn yes, and also version in Resource
https://github.com/envoyproxy/envoy/blob/master/api/envoy/api/v2/discovery.proto#L226
Got it. But Resource
is only if I use the DeltaDiscovery API, which is only relevant in the incremental xDS case.
In the mean time, it sounds like I can get around this issue by supplying the actual bytes instead of a path? Is that correct?
In the mean time, it sounds like I can get around this issue by supplying the actual bytes instead of a path? Is that correct?
That's correct, if you make your management server push update with inline_string
, the hash will be different and trigger a update. We use that in Istio.
Description: I’m setting up SDS over REST-JSON and we’re having trouble getting envoy to acknowledge that a cert has changed when we send back a message to try to indicate it should re-read the certs. We're sending a Secret-type resource that we're configuring like this:
And since the
certPath
andprivateKeyPath
don't change (only the contents have changed), the resource is the same as before.I noticed that I’m not seeing this log message: "ENVOY_LOG(debug, "Secret is updated.");" from https://github.com/envoyproxy/envoy/blob/v1.10.0/source/extensions/transport_sockets/tls/ssl_socket.cc#L495 when it replies, even though I'm running at debug log level.
I would expect the /certs endpoint to reflect that the cert has changed, and I would expect it to use the new cert when trying to talk to the upstream (I haven't checked whether it also behaves this way for the downstream). Neither of those seems to be happening.
We're using envoy v1.10.0
Repro steps: Spin up an envoy service with a config file pointing to an SDS service speaking REST-JSON. Change the cert and key that it's using for an upstream, and reply with a
Secret
that tells it to inspect the same path it was using before.Admin and Stats Output:
Config:
Logs:
Edit: I tried building it in a non-long-polled fashion and it still exhibits the error, so I'm removing all mentions of long-polling from my description. In the config where it says the refresh delay is 1ms, I also tried with a refresh delay of 5s when I'm doing short-polling and it exhibits the same behavior.