Skip to content

[FlowAggregator] Improve logging and minor refactor in cert provider #7648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
antoninbas wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[FlowAggregator] Improve logging and minor refactor in cert provider #7648

antoninbas wants to merge 1 commit into from

Conversation

@antoninbas
Copy link
Contributor

@antoninbas antoninbas commented Dec 25, 2025

Improve logging by using klog.InfoS consistently, adding extra log messages and improving correctness of some existing log messages. For example, "Updated client certificate" was sometimes displayed even in the absence of actual update.

Rename some functions for clarity. Use "sync" and "update" as appropriate instead of "rotate" everywhere.

Replace custom pemToCertKey with standard tls.X509KeyPair via new parseKeyPair helper for safer certificate/key pair parsing.

Specify appropriate key usage (ExtKeyUsageServerAuth or ExtKeyUsageClientAuth) when verifying certificates instead of using ExtKeyUsageAny.

Remove duplicate parsing of CA certificate/key PEM data by parsing once in syncCertificates and passing to syncClientCertificate.

Make GenerateCACertKey and GenerateCertKey private.

Note that the logic is overall unchanged, these changes are mostly cosmetic.

@antoninbas
[FlowAggregator] Improve logging and minor refactor in cert provider
5d8418f 
Improve logging by using klog.InfoS consistently, adding extra log
messages and improving correctness of some existing log messages. For
example, "Updated client certificate" was sometimes displayed even in
the absence of actual update.

Rename some functions for clarity. Use "sync" and "update" as
appropriate instead of "rotate" everywhere.

Replace custom `pemToCertKey` with standard `tls.X509KeyPair` via new
`parseKeyPair` helper for safer certificate/key pair parsing.

Specify appropriate key usage (`ExtKeyUsageServerAuth` or
`ExtKeyUsageClientAuth`) when verifying certificates instead of using
`ExtKeyUsageAny`.

Remove duplicate parsing of CA certificate/key PEM data by parsing
once in `syncCertificates` and passing to `syncClientCertificate`.

Make `GenerateCACertKey` and `GenerateCertKey` private.

Note that the logic is overall unchanged, these changes are mostly
cosmetic.

Signed-off-by: Antonin Bas <[email protected]>
@antoninbas antoninbas requested a review from andrew-su December 25, 2025 01:18
@antoninbas
Copy link
Contributor Author

antoninbas commented Dec 25, 2025

Sample logs with verbosity 3:

I1225 01:14:39.939797       1 provider.go:148] "Certificate event, enqueuing for sync"
I1225 01:14:40.027945       1 provider.go:181] "Syncing certificates"
I1225 01:14:40.028132       1 provider.go:288] "CA certificate does not need to be updated"
I1225 01:14:40.028277       1 provider.go:325] "Client Secret not found"
I1225 01:14:40.028284       1 provider.go:334] "Updating client certificate"
I1225 01:14:40.098587       1 provider.go:372] "Syncing Secret" name="flow-aggregator-client-tls"
I1225 01:14:40.103645       1 provider.go:148] "Certificate event, enqueuing for sync"
I1225 01:14:40.103777       1 provider.go:342] "Updated client certificate"
I1225 01:14:40.103799       1 provider.go:411] "CA ConfigMap not found"
I1225 01:14:40.103809       1 provider.go:435] "Syncing ConfigMap" name="flow-aggregator-ca"
I1225 01:14:40.106495       1 provider.go:148] "Certificate event, enqueuing for sync"
I1225 01:14:40.209217       1 provider.go:234] "Certificates and keys stored locally"
I1225 01:14:40.209251       1 provider.go:181] "Syncing certificates"
I1225 01:14:40.209407       1 provider.go:288] "CA certificate does not need to be updated"

@antoninbas antoninbas added the area/flow-visibility/aggregator Issues or PRs related to Flow Aggregator label Dec 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew-su andrew-su Awaiting requested review from andrew-su

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/flow-visibility/aggregator Issues or PRs related to Flow Aggregator

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antoninbas