Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions packages/envd/internal/api/init.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,8 +214,7 @@ func (a *API) SetData(ctx context.Context, logger zerolog.Logger, data PostInitJ
}

if data.CaBundle != nil && *data.CaBundle != "" {
err := a.caCertInstaller.Install(context.WithoutCancel(ctx), *data.CaBundle)
if err != nil {
if err := a.caCertInstaller.Install(ctx, *data.CaBundle); err != nil {
Comment thread
ValentaTomas marked this conversation as resolved.
Comment thread
ValentaTomas marked this conversation as resolved.
return fmt.Errorf("failed to install CA bundle: %w", err)
}
}
Expand Down
23 changes: 14 additions & 9 deletions packages/envd/internal/host/cacerts.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@ import (
"os"
"path/filepath"
"strings"
"sync"
"time"

"github.com/rs/zerolog"
"golang.org/x/sync/semaphore"
)

const (
Expand All @@ -28,7 +28,7 @@ const (
// ExecStartPre), so all reads and writes bypass the NBD-backed filesystem and
// atomic cert rotation via os.Rename works within the same device.
type CACertInstaller struct {
mu sync.Mutex
mu *semaphore.Weighted
logger *zerolog.Logger

// lastCACert caches the most recently installed PEM so that resume (same
Expand All @@ -40,7 +40,10 @@ type CACertInstaller struct {
}

func NewCACertInstaller(logger *zerolog.Logger) *CACertInstaller {
return &CACertInstaller{logger: logger}
return &CACertInstaller{
logger: logger,
mu: semaphore.NewWeighted(1),
}
}

// Install injects certPEM into the system CA bundle. Returns an error if the
Expand All @@ -64,7 +67,7 @@ func (c *CACertInstaller) Install(ctx context.Context, certPEM string) error {
//
// All goroutine work runs under mu to keep the bundle and extra-certs file
// consistent with concurrent foreground appends.
func (c *CACertInstaller) install(_ context.Context, certPEM, bundlePath, extraPath string) error {
func (c *CACertInstaller) install(ctx context.Context, certPEM, bundlePath, extraPath string) error {
if certPEM == "" {
return nil
}
Expand All @@ -75,8 +78,10 @@ func (c *CACertInstaller) install(_ context.Context, certPEM, bundlePath, extraP
// consistent regardless of how the caller formatted the PEM.
normalized := strings.TrimRight(certPEM, "\n") + "\n"

c.mu.Lock()
defer c.mu.Unlock()
if err := c.mu.Acquire(ctx, 1); err != nil {
return fmt.Errorf("acquire CA install lock: %w", err)
}
defer c.mu.Release(1)

if c.lastCACert == normalized {
c.logger.Debug().
Expand Down Expand Up @@ -107,11 +112,11 @@ func (c *CACertInstaller) install(_ context.Context, certPEM, bundlePath, extraP
Dur("append_duration", time.Since(start)).
Msg("CA cert appended to bundle")

go func() {
go func() { //nolint:contextcheck // background cleanup must outlive the caller's ctx
cleanStart := time.Now()

c.mu.Lock()
defer c.mu.Unlock()
_ = c.mu.Acquire(context.Background(), 1)
defer c.mu.Release(1)

// A newer install has taken over; let that goroutine handle cleanup.
if c.lastCACert != normalized {
Expand Down
2 changes: 1 addition & 1 deletion packages/envd/pkg/version.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
package pkg

const Version = "0.5.23"
const Version = "0.5.24"
Loading