feat: Support hot-reloading for security configuration files#130
feat: Support hot-reloading for security configuration files#130siegfriedweber wants to merge 19 commits intomainfrom
Conversation
siegfriedweber
added
release-note
Release notesNew platform featuresOpenSearch
|
… the security managing role group in the test explicitly
There was a problem hiding this comment.
This file was unused.
| metadata: | ||
| name: opensearch-security-config | ||
| stringData: | ||
| name: custom-opensearch-security-config |
There was a problem hiding this comment.
The operator creates now a ConfigMap named <cluster-name>-security-config, see the upgrade guide. Therefore, another name is used here.
There was a problem hiding this comment.
The previous version of this script applied the configuration settings and then waited for a pod restart, which could be triggered by a change in the security settings. The new version waits in a loop for configuration changes (checked via file hashes) and then applies them.
| /// | ||
| /// Returns `None` if the security plugin is disabled or all configuration files are | ||
| /// references. | ||
| pub fn build_maybe_security_config_map(&self) -> Option<ConfigMap> { |
There was a problem hiding this comment.
The security settings which are defined by value, are now written to a dedicated (role-wide) ConfigMap instead of the role group ConfigMaps. This security ConfigMap is then excluded from the restart controller.
| data.insert(VECTOR_CONFIG_FILE.to_owned(), vector_config_file_content()); | ||
| } | ||
|
|
||
| if let RoleGroupSecurityMode::Initializing { settings, .. } |
There was a problem hiding this comment.
moved to RoleBuilder::build_maybe_security_config_map
| #[case::security_mode_initializing(TestSecurityMode::Initializing)] | ||
| #[case::security_mode_managing(TestSecurityMode::Managing)] | ||
| #[case::security_mode_participating(TestSecurityMode::Participating)] | ||
| #[case::security_mode_disabled(TestSecurityMode::Disabled)] |
There was a problem hiding this comment.
The security settings are not located anymore in the role group ConfigMap. Therefore, the security mode test cases were removed.
| ValidatedSecurity::Disabled, | ||
| ValidatedSecurity::ManagedByApi { |
There was a problem hiding this comment.
Enable security to trigger the creation of the security ConfigMap.
| /// The restarter uses these annotations to skip restarting Pods when specific Secrets change. | ||
| /// Indices start at 0 and are assigned in iteration order, so **do not merge the result with | ||
| /// annotations from another call** — duplicate indices would overwrite each other. | ||
| pub fn restarter_ignore_secret_annotations( |
There was a problem hiding this comment.
This function is similar to restarter_ignore_configmap_annotations. It would also be possible to create a common helper function which accepts IntoIterator<Item = String> or something similar. But I prefer the duplicated code in this case.
| pullPolicy: IfNotPresent | ||
| clusterConfig: | ||
| security: | ||
| managingRoleGroup: security-coord |
There was a problem hiding this comment.
Use an explicit managing role group because this is not tested elsewhere.
1 participant
Description
Support hot-reloading for security configuration files
Settings managed by the operator are hot-reloaded when changed, i.e. without pod restarts.
Part of stackabletech/issues#837
Definition of Done Checklist
Author
Reviewer
Acceptance
type/deprecationlabel & add to the deprecation scheduletype/experimentallabel & add to the experimental features tracker