Well, this is a lie in case timeToRefresh was > 0, right?

timeToRefresh is the time for the next refresh, we just refreshed the certificates in line 85 with r.refreshCertificates(ctx). I'll rename timeToRefresh to timeToNextRefresh to make this more clear

What I mean is that if we landed here because refreshCertificates returned early, on line 108 then nothing got refreshed this time round, and this message is a lie. I think we should log this around line 123 instead, and even potentially rename refreshCertificates to maybeRefreshCertificates.

you are right, done

What I mean is that if we landed here because refreshCertificates returned early, on line 108 then nothing got refreshed this time round, and this message is a lie. I think we should log this around line 123 instead, and even potentially rename refreshCertificates to maybeRefreshCertificates.

This is not an error right after deployment, when it's expected, right?

As discussed in #457 the repository should already populate the secret data, so this would be unexpected. Although I wonder if this could also happen even after the repository creates the secrets initialising the secret data with the certificates, due to k8s eventual consistency. If that is the case we'd have the certificates emitted twice in a row, do you think that could happen too?

For the same, I think scanner should be able to wait without crashing until the secrets are created and populated. Is that correct or am I missing something?

I think we should make it such that when a secret is present, it contains expected data. In other words we should never create an empty secret.

I understand you mean that in that case we should not treat ErrEmptyCertificate differently to other errors. The current proposal for #457 creates secrets with data populated with the certificates. So I think we can go two paths here:

1. Treat errors in getTimeToRefresh as unrecoverable: so getTimeToRefresh just returns 0, err for any error returned by r.getCertsRenewalTime(certificates). This implies an infinite loop of errors when the secret data is corrupted. The current proposal for ROX-9128: Create certSecretsRepo type to store certificates in k8s secrets #457 only creates a secret when it doesn't exist, so restarting Sensor wouldn't fix that
2. Treat errors in getTimeToRefresh as recoverable, and recover by returning 0, nil for any error returned by r.getCertsRenewalTime(certificates). This can also leads to an infinite loop of requesting certificates, if the certificate renewal process always fails.

I tend to prefer option 2, what do you think?

the repository should already populate the secret data, so this would be unexpected

I understand you mean that in that case we should not treat ErrEmptyCertificate differently to other errors.

Yes, if we never create an empty secret then we should not be having a special error instance for an empty secret. Just treat it as invalid cert ripe for a refresh.

I first modified getTimeToRefresh to never fail and always recover using 0 as timeToNextRefresh.
But then I realised that if we get an error in the second call to r.getTimeToRefresh in the body of ensureCertificatesAreFresh, for the new certificates returned by r.requestCertificates(ctx), then we should not return 0, nil to the ticker that is calling RefreshCertificates, because that would imply an immediate retry, thus hammering central with certificate requests just because the refresher doesn't understand the certificates. So I have added a recoverFromErr parameter to getTimeToRefresh to optionally ignore errors, so in ensureCertificatesAreFresh for the the first call we ignore errors and refresh the certificate immediately if we cannot parse the certificates stored in the secrets, but for the second call where we parse the new certificates we don't recover from an error so the backoff mechanism in the ticker can work.

What do you think?

Since there are no other errs in this function:

done

I'm not sure this interface is all that useful...

this would be useful for testing the sensor component that launches the refresher, as it would allow to mock the refresher easily

Right, but an interface should be defined in the user's package, not in the implementer's one.
https://blog.chewxy.com/2018/03/18/golang-interfaces/

Here it's the same package, but arguably the same principles should apply when we split things across files.

What I'm understanding here is that the suggestion is moving the certRefresher interface to the sensor component that uses it, e.g. to file tls_issuer.go in https://github.com/stackrox/stackrox/pull/565/files#diff-81bd3808339e34da64a1fa5e66c27f0ec9d75a8a51956b1773c4e0c8b6295c08. I'm thus removing the interface from this PR

done

done

I have to admit that because the last line of parameter list is indented the same as the first line of code, I find it hard to tell them apart visually. WDYT about inserting a blank line as the first line of function body whenever there is a line break inside the parameter list?

done, I agree that is more readable

This is only passed as the function to the ticker and not accessed anywhere else (apart from unit tests), right?
In that case I guess it does not need to be exported? 🤔

renamed to lower case

If the entire API is just creating a ticker and delegating Stop and Start to it, then perhaps the refresher should not be wrapping it in the first place? Perhaps we can simplify the whole thing by having newCertRefresher return an appropriately configured ticker instead? WDYT?

that makes sense, and it simplifies the code significantly, done

the repository should already populate the secret data, so this would be unexpected

I understand you mean that in that case we should not treat ErrEmptyCertificate differently to other errors.

Yes, if we never create an empty secret then we should not be having a special error instance for an empty secret. Just treat it as invalid cert ripe for a refresh.

Nit: corrupted might be too strong a word for the case where CA certs differ. Perhaps just inconsistent state?

changed this to

log.Errorf("local scanner certificates are in an inconsistent state, will refresh certificates immediately: %s", getCertsErr)

done

Please use a consistent wrapping style for the same function prototypes (i.e. here vs refreshCertificates). For 4 parameters I'd prefer the style used here, but up to you as long as it's consistent.

now using longer lines for refreshCertificates too

fixed

TBH my preference would be to inline this function. The extra recoverFromErr parameter seems to introduce more complexity than is solved by having this standalone function. At least I had a hard time figuring out what is going on :-)

You are right, I like how your comments keep making the code smaller!

The plan is not merging this even with a TODO, because that would cause a conflict with #457 because both would define the same package variable and break the build. Merging this PR is blocked by merging #457

references to ROX-9128 removed after rebase

references to ROX-9128 removed after rebase

This is a mock right? Can this be removed?
If you add temporary code try to mark it as TODO(do-not-merge): ... to prevent accidental merges.

That is not a mock, per another review comment I moved the interface definition to the place where they are used, see #474 (comment) for context

Does it mean we add the interfaces where they are needed?
Tbh I've never seen this before it and seems to not make sense anymore if we have another package using the same interface as a dependency (in structs or function signatures).
cc: @porridge

I.e. the Reader is also defined in io.go where the implementation lives

For this particular case, another option is putting all interfaces in a new file sensor/kubernetes/localscanner/types.go, what do you think?

@porridge Do you have any production examples? Preferably in a well-known project?
Also took a look at the uber style guide where it is not mentioned.

@SimonBaeumer here's the most authoritative source I could find: https://github.com/golang/go/wiki/CodeReviewComments#interfaces

This is also alluded to by people like Rob Pike in places like https://groups.google.com/g/golang-nuts/c/mg-8_jMyasY/m/lo-kDuEd540J which explains the philosophical background of why this rule was created in the first place.
I'm also reasonably sure I've seen a talk by one of the Go creators that mentioned this, but I cannot find it :-(

Some more places where it's mentioned by other people:

https://blog.logrocket.com/exploring-structs-interfaces-go/#other-interface-types-considerations
https://commandercoriander.net/blog/2018/03/30/go-interfaces/

Of course there are cases where this is hard to apply, but I don't think this is one of them.

Not the talk I had in mind, but fun to watch: https://www.youtube.com/watch?v=PAAkCSZUG1c&t=318s

Very interesting discussion. Some golang concepts like interfaces or methods are sneaky to me because they sound similar to Java or C++ concepts, but are actually quite different, so this material is really useful

Interesting, thanks for sharing @porridge. I was not aware of this, need to dig deeper later 👍

done

I think this needs to be replaced with ensureSecrets after the repo secrets PR is merged

done