CNTRLPLANE-3751: Add dynamic proxy CA reload for outbound IdP transports#244
CNTRLPLANE-3751: Add dynamic proxy CA reload for outbound IdP transports#244tchap wants to merge 1 commit into
Conversation
When PROXY_TRUSTED_CA_FILE is set, the OAuth Server watches the proxy CA file on disk and rebuilds outbound HTTP transports when it changes. The proxy CA is combined with any static IdP CA in the transport's RootCAs, so TLS-intercepting or HTTPS proxies are trusted alongside IdP endpoints. The dynamicCARoundTripper uses DynamicFileCAContent (fsnotify + periodic poll) and swaps the underlying transport atomically. On reload failure the old transport is preserved.
|
@tchap: This pull request references CNTRLPLANE-3751 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
Skipping CI for Draft Pull Request. |
|
Caution Review failedAn error occurred during the review process. Please try again later. WalkthroughAdds a ChangesDynamic Proxy CA Transport
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Tools execution failed with the following error: Failed to run tools: 13 INTERNAL: Received RST_STREAM with code 2 (Internal server error) Comment |
|
/jira refresh |
|
@tchap: This pull request references CNTRLPLANE-3751 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tchap The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
When
PROXY_TRUSTED_CA_FILEis set, the OAuth Server watches the proxy CA file on disk and rebuilds outbound HTTP transports when it changes. The proxy CA is combined with any static IdP CA in the transport's RootCAs, so TLS-intercepting or HTTPS proxies are trusted alongside IdP endpoints.The
dynamicCARoundTripperusesDynamicFileCAContent(fsnotify + periodic poll) and swaps the underlying transport atomically. On reload failure the old transport is preserved.Summary by CodeRabbit
New Features
Bug Fixes