feat(session): manage KAP mTLS agent credentials#1264
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1264 +/- ##
==========================================
+ Coverage 90.59% 90.66% +0.06%
==========================================
Files 349 351 +2
Lines 26429 26997 +568
==========================================
+ Hits 23944 24477 +533
- Misses 1685 1708 +23
- Partials 800 812 +12 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
| if err := m.swapCurrentSymlink(releaseID); err != nil { | ||
| return err | ||
| } | ||
| if _, err := m.runSystemctl(ctx, "enable", AgentService); err != nil { | ||
| return fmt.Errorf("enable KAP mTLS agent: %w", err) | ||
| } | ||
| if _, err := m.runSystemctl(ctx, "restart", AgentService); err != nil { | ||
| return fmt.Errorf("restart KAP mTLS agent: %w", err) | ||
| } | ||
| if !m.waitReady(ctx) { | ||
| return fmt.Errorf("KAP mTLS agent did not become ready") | ||
| } |
There was a problem hiding this comment.
P1 — Failed activation is reported as successfully applied. UpdateCredentials switches current before enabling/restarting the service. If restart fails while the old agent remains alive, subsequent Status reports the new on-disk credentials together with AgentActive=true and AgentReady=true. The reconciler therefore considers the desired generation installed, although the running process still uses the old certificate/CA/endpoint. I reproduced this state. Track an applied generation only after readiness, roll back the symlink on activation failure, or verify the running certificate serial.
Add crash-safe credential activation and kubelet cutover over the existing session channel for newly opted-in nodes. Co-Authored-By: Codex <noreply@openai.com>
Prevent restart and rollback paths from advancing persisted state until the agent reports the expected loaded certificate. Co-Authored-By: Codex <noreply@openai.com>
Report explicit disablement to the control plane and retain its durable marker until agent activation has fully succeeded. Co-Authored-By: Codex <noreply@openai.com>
Cover malformed identity material, durable state corruption, rollback failures, and kubeconfig transition errors so the credential lifecycle remains diagnosable and retryable. Co-Authored-By: Codex <noreply@openai.com>
Treat TLS verification as successful once the handshake completes because a peer may close before the best-effort close-notify write. Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
Serialize state-directory updates, roll back failed activation, and persist machine-bound session proof across restarts.\n\nCo-Authored-By: Codex <noreply@openai.com>
Exercise validation, atomic release, activation rollback, and readiness failure paths so the new manager behavior is protected by the PR coverage gate.\n\nCo-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
Co-Authored-By: Codex <noreply@openai.com>
75954b9 to
5655918
Compare
Summary
currentsymlink, restart the agent, and acknowledge the update only after/readyzsucceedsRollout
kap-mtls-agentpackageVerification
GOFLAGS=-mod=mod go test -count=1 ./pkg/kapmtlsGOFLAGS=-mod=mod go test -count=1 -gcflags='all=-N -l' ./pkg/sessionGOFLAGS=-mod=mod go test -race ./pkg/kapmtlsGOFLAGS=-mod=mod go vet ./pkg/kapmtls ./pkg/sessionThe repository-wide default
pkg/sessiontest command requires Mockey's-gcflags='all=-N -l'on macOS/arm64; the changed package scope passes with that required flag.Jira: LEP-5336