expiration-mailer: feature-gate bug fix (#6122)
We recently landed a fix so the expiration-mailer won't look twice at the same certificate. This will cause an immediate behavior change when it is deployed, and that might have surprising effects. Put the fix behind a feature flag so we can control when it rolls out more carefully.
This commit is contained in:
Jacob Hoffman-Andrews
GitHub
parent
5c3f62d4a5
commit
be893678bd
|
|
@ -68,6 +68,12 @@ type mailerStats struct {
|
|||
}
|
||||
|
||||
func (m *mailer) sendNags(contacts []string, certs []*x509.Certificate) error {
|
||||
// TODO(#6121): Remove this
|
||||
if !features.Enabled(features.ExpirationMailerDontLookTwice) {
|
||||
if len(contacts) == 0 {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
if len(certs) == 0 {
|
||||
return errors.New("no certs given to send nags for")
|
||||
}
|
||||
|
|
@ -256,6 +262,13 @@ func (m *mailer) processCerts(ctx context.Context, allCerts []core.Certificate)
|
|||
continue
|
||||
}
|
||||
|
||||
// TODO(#6121): Remove this
|
||||
if !features.Enabled(features.ExpirationMailerDontLookTwice) {
|
||||
if len(reg.Contact) == 0 {
|
||||
continue
|
||||
}
|
||||
}
|
||||
|
||||
err = m.sendNags(reg.Contact, parsedCerts)
|
||||
if err != nil {
|
||||
m.stats.errorCount.With(prometheus.Labels{"type": "SendNags"}).Inc()
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ import (
|
|||
corepb "github.com/letsencrypt/boulder/core/proto"
|
||||
"github.com/letsencrypt/boulder/db"
|
||||
berrors "github.com/letsencrypt/boulder/errors"
|
||||
"github.com/letsencrypt/boulder/features"
|
||||
blog "github.com/letsencrypt/boulder/log"
|
||||
"github.com/letsencrypt/boulder/metrics"
|
||||
"github.com/letsencrypt/boulder/mocks"
|
||||
|
|
@ -201,6 +202,10 @@ func TestProcessCerts(t *testing.T) {
|
|||
func TestNoContactCertIsNotRenewed(t *testing.T) {
|
||||
testCtx := setup(t, []time.Duration{time.Hour * 24 * 7})
|
||||
|
||||
_ = features.Set(map[string]bool{
|
||||
features.ExpirationMailerDontLookTwice.String(): true,
|
||||
})
|
||||
|
||||
reg, err := makeRegistration(testCtx.ssa, 1, jsonKeyA, nil)
|
||||
test.AssertNotError(t, err, "Couldn't store regA")
|
||||
|
||||
|
|
|
|||
|
|
@ -35,11 +35,12 @@ func _() {
|
|||
_ = x[OldTLSInbound-24]
|
||||
_ = x[SHA1CSRs-25]
|
||||
_ = x[AllowUnrecognizedFeatures-26]
|
||||
_ = x[ExpirationMailerDontLookTwice-27]
|
||||
}
|
||||
|
||||
const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsOldTLSOutboundOldTLSInboundSHA1CSRsAllowUnrecognizedFeatures"
|
||||
const _FeatureFlag_name = "unusedPrecertificateRevocationStripDefaultSchemePortNonCFSSLSignerStoreIssuerInfoStreamlineOrderAndAuthzsV1DisableNewValidationsCAAValidationMethodsCAAAccountURIEnforceMultiVAMultiVAFullResultsMandatoryPOSTAsGETAllowV1RegistrationStoreRevokerInfoRestrictRSAKeySizesFasterNewOrdersRateLimitECDSAForAllServeRenewalInfoGetAuthzReadOnlyGetAuthzUseIndexCheckFailedAuthorizationsFirstAllowReRevocationMozRevocationReasonsOldTLSOutboundOldTLSInboundSHA1CSRsAllowUnrecognizedFeaturesExpirationMailerDontLookTwice"
|
||||
|
||||
var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 148, 161, 175, 193, 211, 230, 246, 265, 289, 300, 316, 332, 348, 378, 395, 415, 429, 442, 450, 475}
|
||||
var _FeatureFlag_index = [...]uint16{0, 6, 30, 52, 66, 81, 105, 128, 148, 161, 175, 193, 211, 230, 246, 265, 289, 300, 316, 332, 348, 378, 395, 415, 429, 442, 450, 475, 504}
|
||||
|
||||
func (i FeatureFlag) String() string {
|
||||
if i < 0 || i >= FeatureFlag(len(_FeatureFlag_index)-1) {
|
||||
|
|
|
|||
|
|
@ -92,6 +92,11 @@ const (
|
|||
// AllowUnrecognizedFeatures is internal to the features package: if true,
|
||||
// skip error when unrecognized feature flag names are passed.
|
||||
AllowUnrecognizedFeatures
|
||||
|
||||
// ExpirationMailerDontLookTwice enables a bug fix in expiration-mailer
|
||||
// speeds up expiration-mailer processing by ensuring processed items
|
||||
// get marked done.
|
||||
ExpirationMailerDontLookTwice
|
||||
)
|
||||
|
||||
// List of features and their default value, protected by fMu
|
||||
|
|
@ -123,6 +128,7 @@ var features = map[FeatureFlag]bool{
|
|||
OldTLSInbound: true,
|
||||
SHA1CSRs: true,
|
||||
AllowUnrecognizedFeatures: false,
|
||||
ExpirationMailerDontLookTwice: false,
|
||||
}
|
||||
|
||||
var fMu = new(sync.RWMutex)
|
||||
|
|
|
|||
|
|
@ -23,7 +23,10 @@
|
|||
"timeout": "15s"
|
||||
},
|
||||
"SMTPTrustedRootFile": "test/mail-test-srv/minica.pem",
|
||||
"frequency": "1h"
|
||||
"frequency": "1h",
|
||||
"features": {
|
||||
"ExpirationMailerDontLookTwice": true
|
||||
}
|
||||
},
|
||||
|
||||
"syslog": {
|
||||
|
|
|
|||
Loading…
Reference in New Issue