Skip to content

feat: watch file update on executor config #2278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 9, 2025
Merged

feat: watch file update on executor config #2278

merged 2 commits into from
Jun 9, 2025

Conversation

binbin-li
Copy link
Contributor

@binbin-li binbin-li commented Jun 5, 2025
edited
Loading

Description

What this PR does / why we need it:

  1. Add file watcher on the executor config file so that Ratify server could pick up the latest configuration and generate a new executor.
  2. Update server struct by replacing executor field with a getExecutor function callback so that server could always get the latest executor.
  3. Update TLSCertWatcher by replacing the RWMutex with atomic.Pointer to improve the performance while maintaining the thread safety.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Added unit test.

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

@codecov Codecov
Copy link

codecov bot commented Jun 5, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 80.85106% with 18 lines in your changes missing coverage. Please review.

Project coverage is 74.07%. Comparing base (134acce) to head (6a42675).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/httpserver/server.go 58.33% 8 Missing and 2 partials ⚠️
internal/httpserver/config/config.go 86.66% 6 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2278      +/-   ##
==========================================
- Coverage   74.09%   74.07%   -0.03%     
==========================================
  Files         121      121              
  Lines        6737     6789      +52     
==========================================
+ Hits         4992     5029      +37     
- Misses       1542     1553      +11     
- Partials      203      207       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@binbin-li binbin-li force-pushed the refresh-config branch 3 times, most recently from e8bf320 to 6984230 Compare June 5, 2025 11:12
@binbin-li binbin-li requested a review from Copilot June 6, 2025 02:03
Copilot

This comment was marked as outdated.

Sign in to view

@binbin-li binbin-li requested a review from Copilot June 6, 2025 02:22
Copilot
Copilot AI reviewed Jun 6, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements dynamic configuration updates for the executor by adding file watcher support for both TLS certificate files and executor configuration. The changes include updating the TLS certificate watcher to use atomic pointers for improved performance and thread safety, refactoring the server structure to use a getExecutor callback for always retrieving the latest executor, and integrating a config watcher in the server startup process. Additionally, some deployment and configuration adjustments were made for security and provider updates.

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/httpserver/tlssecret/certwatcher_test.go Updated tests to use NewWatcher and atomic pointer access for TLS secrets.
internal/httpserver/tlssecret/certwatcher.go Refactored to replace RWMutex with atomic pointers and added logging for fsnotify events.
internal/httpserver/server.go Replaced static executor field with a getExecutor callback and integrated a config watcher.
internal/httpserver/handlers_test.go & handlers.go Updated executor API calls to reference the new getExecutor callback.
internal/httpserver/config/config_test.go & config.go Introduced a new Watcher for executor configuration and updated related tests.
deployments/ratify-gatekeeper-provider/templates/deployment.yaml Changed readOnlyRootFilesystem to true for enhanced security.
configs/config.json Updated registry configuration settings.

shizhMSFT
shizhMSFT approved these changes Jun 9, 2025
View reviewed changes
Copy link

@shizhMSFT shizhMSFT left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@binbin-li binbin-li merged commit f880db6 into notaryproject:main Jun 9, 2025
13 checks passed
@binbin-li binbin-li mentioned this pull request Jun 9, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@shizhMSFT shizhMSFT shizhMSFT approved these changes

@akashsinghal akashsinghal Awaiting requested review from akashsinghal akashsinghal is a code owner

@jimmyraywv jimmyraywv Awaiting requested review from jimmyraywv jimmyraywv is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@binbin-li @shizhMSFT