Reapply sidecar injector CA bundle to prevent overwrite

[ostromart]

Fixes #6069
Tell me if this looks reasonable and I will test it.

[ayj]

Does the server's cert file (wh.certFile) include the CA bundle?

[ostromart]

Ah, that was a mistake - fixed.

[ayj]

Is the intent here to support CA cert rotation? If not, the caCertPEM re-load code can be removed.

[ostromart]

Yes, might as well include this since it's a minor addition.

[ayj]

patchCert() can be removed with this change.

[ostromart]

Currently if we don't succeed within 1 min we get an error and exit. If this is removed, we would continue and just log the error. Is that acceptable?

[ayj]

Yes

[ayj]

This is an improvement over the existing (broken) behavior. It will lead to some noise in api-server logs. That could be mitigated by updating PatchMutatingWebhookConfig to skip invoking PATCH if the strategic merge patch is empty.

Ideally this would be driven by watching the webhook configuration (via watch or informer) and only PATCH'ing if change is observed. Is there a follow-up tracking issue for that work item?

[ostromart]

There is now: #6451

[codecov]

Codecov Report

Merging #6435 into master will increase coverage by 1%.
The diff coverage is 100%.

@@           Coverage Diff           @@
##           master   #6435    +/-   ##
=======================================
+ Coverage      68%     68%    +1%     
=======================================
  Files         357     351     -6     
  Lines       31086   30833   -253     
=======================================
- Hits        21010   20847   -163     
+ Misses       9240    9144    -96     
- Partials      836     842     +6

Impacted Files	Coverage Δ
pkg/util/webhookpatch.go	78% <100%> (+1%)	⬆️
galley/pkg/server/server.go	81% <0%> (-9%)	⬇️
pilot/pkg/config/memory/monitor.go	82% <0%> (-9%)	⬇️
mixer/adapter/circonus/circonus.go	68% <0%> (-7%)	⬇️
mixer/adapter/signalfx/registry.go	86% <0%> (-5%)	⬇️
pilot/pkg/serviceregistry/kube/controller.go	64% <0%> (-4%)	⬇️
galley/pkg/mcp/snapshot/snapshot.go	96% <0%> (-4%)	⬇️
pilot/pkg/serviceregistry/kube/queue.go	86% <0%> (-3%)	⬇️
pilot/pkg/proxy/envoy/v2/debug.go	30% <0%> (-2%)	⬇️
galley/pkg/mcp/server/server.go	85% <0%> (-2%)	⬇️
... and 74 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update ab75e24...24ca447. Read the comment docs.

[ostromart]

Currently if we don't succeed within 1 min we get an error and exit. If this is removed, we would continue and just log the error. Is that acceptable?

[ostromart]

There is now: #6451

[ostromart]

Ah, that was a mistake - fixed.

[ostromart]

Yes, might as well include this since it's a minor addition.

[ostromart]

I didn't like entangling the patch functionality into this type, so I moved it entirely into main.

[ayj]

Lines 103-105 are correct for validating webhook. You need to make the same change for the mutating webhook on line 61.

[ostromart]

Done

[ayj]

Can you also reference the tracking issue for watch triggered patch (#6451)? e.g.

// TODO(https://github.com/istio/istio/issues/6451) - only patch when caBundle changes

[ostromart]

Done

[ayj]

This doesn't filter on file event type (e.g. delete). Any chance that this read will fail in such cases and overwrite caCertPem with nil? Maybe something like the following?

if b, err := ioutil.ReadFile(flags.caCertFile); err != nil { 
    /* error */ 
} else {
    caCertPem = b
}

[ostromart]

Done

[ayj]

/lgtm

Also, pausing auto-merge until fix is manually verified
/hold

[ostromart]

Verified that reapplying istio.yaml blows away caBundle but it is immediately restored.

[ostromart]

/hold cancel

[ayj]

/lgtm

[hklai]

/lgtm

[istio-testing]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ayj, hklai, ostromart

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pilot/OWNERS [ayj,hklai]
• pkg/OWNERS [hklai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hklai]

/test istio-unit-tests

[istio-testing]

@ostromart: The following tests failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
prow/e2e-dashboard.sh	24ca447	link	/test e2e-dashboard
prow/istio-unit-tests.sh	24ca447	link	/test istio-unit-tests

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.