stackrox · juanrh · Feb 24, 2022 · Feb 8, 2022 · Feb 8, 2022 · Feb 8, 2022
@@ -108,6 +108,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
         - name: ROX_CENTRAL_ENDPOINT
           value: {{ ._rox.centralEndpoint }}
         - name: ROX_ADVERTISED_ENDPOINT

diff --git a/pkg/centralsensor/caps_list.go b/pkg/centralsensor/caps_list.go
@@ -24,4 +24,7 @@ const (
 
 	// AuditLogEventsCap identifies the capability to handle audit log event detection.
 	AuditLogEventsCap SensorCapability = "AuditLogEvents"
+
+	// LocalScannerCredentialsRefresh identifies the capability to maintain the Local scanner TLS credentials refreshed.
+	LocalScannerCredentialsRefresh SensorCapability = "LocalScannerCredentialsRefresh"
 )
diff --git a/pkg/concurrency/retry_ticker.go b/pkg/concurrency/retry_ticker.go
@@ -25,6 +25,7 @@ var (
 type RetryTicker interface {
 	Start() error
 	Stop()
+	Stopped() bool
 }
 
 type tickFunc func(ctx context.Context) (timeToNextTick time.Duration, err error)
@@ -64,7 +65,7 @@ type retryTickerImpl struct {
 // - ErrStartedTimer is returned if the timer was already started.
 // - ErrStoppedTimer is returned if the timer was stopped.
 func (t *retryTickerImpl) Start() error {
-	if t.stopFlag.Get() {
+	if t.Stopped() {
 		return ErrStoppedTimer
 	}
 	if t.getTickTimer() != nil {
@@ -82,13 +83,18 @@ func (t *retryTickerImpl) Stop() {
 	t.setTickTimer(nil)
 }
 
+// Stopped returns true if this RetryTicker has been stopped, otherwise returns false.
+func (t *retryTickerImpl) Stopped() bool {
+	return t.stopFlag.Get()
+}
+
 func (t *retryTickerImpl) scheduleTick(timeToTick time.Duration) {
 	t.setTickTimer(t.scheduler(timeToTick, func() {
 		ctx, cancel := context.WithTimeout(context.Background(), t.timeout)
 		defer cancel()
 
 		nextTimeToTick, tickErr := t.doFunc(ctx)
-		if t.stopFlag.Get() {
+		if t.Stopped() {
 			// ticker was stopped while tick function was running.
 			return
 		}

@@ -47,7 +47,7 @@ func refreshCertificates(ctx context.Context, requestCertificates requestCertifi
 	timeToNextRefresh, err = ensureCertificatesAreFresh(ctx, requestCertificates, getCertsRenewalTime, repository)
 	if err != nil {
 		if errors.Is(err, ErrUnexpectedSecretsOwner) {
-			log.Errorf("stopping automatic refresh of %s: %s", certsDescription, err)
+			log.Errorf("non-recoverable error refreshing %s, automatic refresh will be stopped: %s", certsDescription, err)
 			return 0, concurrency.ErrNonRecoverable
 		}
 
@@ -97,7 +97,10 @@ func getTimeToRefreshFromRepo(ctx context.Context, getCertsRenewalTime getCertsR
 	repository serviceCertificatesRepo) (time.Duration, error) {
 
 	certificates, getCertsErr := repository.getServiceCertificates(ctx)
-	if getCertsErr == ErrDifferentCAForDifferentServiceTypes || getCertsErr == ErrMissingSecretData {
+	if errors.Is(getCertsErr, ErrUnexpectedSecretsOwner) {
+		return 0, getCertsErr
+	}
+	if errors.Is(getCertsErr, ErrDifferentCAForDifferentServiceTypes) || errors.Is(getCertsErr, ErrMissingSecretData) {
 		log.Errorf("local scanner certificates are in an inconsistent state, "+
 			"will refresh certificates immediately: %s", getCertsErr)
 		return 0, nil

@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/hashicorp/go-multierror"
 	"github.com/pkg/errors"
 	"github.com/stackrox/rox/generated/internalapi/central"
 	"github.com/stackrox/rox/generated/storage"
@@ -110,8 +111,8 @@ func (s *certRefresherSuite) TestRefreshCertificatesGetCertsInconsistentImmediat
 	testCases := map[string]struct {
 		recoverableErr error
 	}{
-		"refresh immediately on ErrDifferentCAForDifferentServiceTypes": {recoverableErr: ErrDifferentCAForDifferentServiceTypes},
-		"refresh immediately on ErrMissingSecretData":                   {recoverableErr: ErrMissingSecretData},
+		"refresh immediately on ErrDifferentCAForDifferentServiceTypes": {recoverableErr: errors.Wrap(ErrDifferentCAForDifferentServiceTypes, "wrap error")},
+		"refresh immediately on ErrMissingSecretData":                   {recoverableErr: errors.Wrap(ErrMissingSecretData, "wrap error")},
 		"refresh immediately on missing secrets":                        {recoverableErr: k8sErrors.NewNotFound(schema.GroupResource{Group: "Core", Resource: "Secret"}, "foo")},
 	}
 	for tcName, tc := range testCases {
@@ -132,9 +133,10 @@ func (s *certRefresherSuite) TestRefreshCertificatesGetCertsInconsistentImmediat
 	}
 }
 
-func (s *certRefresherSuite) TestRefreshCertificatesGetCertsUnexpectedOwnerFailure() {
+func (s *certRefresherSuite) TestRefreshCertificatesGetCertsUnexpectedOwnerHighestPriorityFailure() {
+	getErr := multierror.Append(nil, ErrUnexpectedSecretsOwner, ErrDifferentCAForDifferentServiceTypes, ErrMissingSecretData)
 	s.dependenciesMock.On("getServiceCertificates", mock.Anything).Once().Return(
-		(*storage.TypedServiceCertificateSet)(nil), concurrency.ErrNonRecoverable)
+		(*storage.TypedServiceCertificateSet)(nil), getErr)
 
 	_, err := s.refreshCertificates()
 

@@ -68,15 +68,23 @@ func (s *getSecretRenewalTimeSuite) TestGetSecretsCertRenewalTime() {
 	s.LessOrEqual(certDuration, afterOffset/2)
 }
 
-func issueCertificatePEM(issueOption mtls.IssueCertOption) ([]byte, error) {
+func issueCertificate(serviceType storage.ServiceType, issueOption mtls.IssueCertOption) (*mtls.IssuedCert, error) {
 	ca, err := mtls.CAForSigning()
 	if err != nil {
 		return nil, err
 	}
-	subject := mtls.NewSubject("clusterId", storage.ServiceType_SCANNER_SERVICE)
+	subject := mtls.NewSubject("clusterId", serviceType)
 	cert, err := ca.IssueCertForSubject(subject, issueOption)
 	if err != nil {
 		return nil, err
 	}
-	return cert.CertPEM, err
+	return cert, err
+}
+
+func issueCertificatePEM(issueOption mtls.IssueCertOption) ([]byte, error) {
+	cert, err := issueCertificate(storage.ServiceType_SCANNER_SERVICE, issueOption)
+	if err != nil {
+		return nil, err
+	}
+	return cert.CertPEM, nil
 }
@@ -6,7 +6,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/stackrox/rox/generated/internalapi/central"
 	"github.com/stackrox/rox/pkg/concurrency"
-	"github.com/stackrox/rox/pkg/logging"
 	"github.com/stackrox/rox/pkg/sync"
 	"github.com/stackrox/rox/pkg/uuid"
 )
@@ -15,17 +14,9 @@ var (
 	// ErrCertificateRequesterStopped is returned by RequestCertificates when the certificate
 	// requester is not initialized.
 	ErrCertificateRequesterStopped                      = errors.New("stopped")
-	log                                                 = logging.LoggerForModule()
 	_                              CertificateRequester = (*certificateRequesterImpl)(nil)
 )
 
-// CertificateRequester requests a new set of local scanner certificates from central.
-type CertificateRequester interface {
-	Start()
-	Stop()
-	RequestCertificates(ctx context.Context) (*central.IssueLocalScannerCertsResponse, error)
-}
-
 // NewCertificateRequester creates a new certificate requester that communicates through
 // the specified channels and initializes a new request ID for reach request.
 // To use it call Start, and then make requests with RequestCertificates, concurrent requests are supported.

@@ -53,7 +53,7 @@ type serviceCertSecretSpec struct {
 // newServiceCertificatesRepo creates a new serviceCertificatesRepoSecretsImpl that persists certificates for
 // scanner and scanner DB in k8s secrets that are expected to have ownerReference as the only owner reference.
 func newServiceCertificatesRepo(ownerReference metav1.OwnerReference, namespace string,
-	secretsClient corev1.SecretInterface) *serviceCertificatesRepoSecretsImpl {
+	secretsClient corev1.SecretInterface) serviceCertificatesRepo {
 
 	return &serviceCertificatesRepoSecretsImpl{
 		secrets: map[storage.ServiceType]serviceCertSecretSpec{