fix(stackable-webhook): Move certificate generation to the blocking thread (#815)

NickLarsenNZ · web-flow · commit 4a29c0428087 · 2024-06-24T08:51:27.000Z
* fix(stackable-webhook): move certificate generation to the blocking thread

* chore(stackable-webhook): update changelog

* chore(stackable-webhook): add explanation for the use of spawn_blocking
diff --git a/crates/stackable-webhook/CHANGELOG.md b/crates/stackable-webhook/CHANGELOG.md
@@ -14,9 +14,11 @@ All notable changes to this project will be documented in this file.
   the `Host` info (data about the server) in the `AxumTraceLayer`. This was
   previously not extracted correctly and thus not included in the OpenTelemetry
   compatible traces ([#806]).
+- Spawn blocking code on a blocking thread ([#815]).
 
 [#806]: https://github.com/stackabletech/operator-rs/pull/806
 [#811]: https://github.com/stackabletech/operator-rs/pull/811
+[#815]: https://github.com/stackabletech/operator-rs/pull/815
 
 ## [0.3.0] - 2024-05-08
 
diff --git a/crates/stackable-webhook/src/tls.rs b/crates/stackable-webhook/src/tls.rs
@@ -56,6 +56,9 @@ pub enum Error {
 
     #[snafu(display("failed to set safe TLS protocol versions"))]
     SetSafeTlsProtocolVersions { source: tokio_rustls::rustls::Error },
+
+    #[snafu(display("failed to run task in blocking thread"))]
+    TokioSpawnBlocking { source: tokio::task::JoinError },
 }
 
 /// Custom implementation of [`std::cmp::PartialEq`] because some inner types
@@ -94,37 +97,49 @@ pub struct TlsServer {
 impl TlsServer {
     #[instrument(name = "create_tls_server", skip(router))]
     pub async fn new(socket_addr: SocketAddr, router: Router) -> Result<Self> {
-        let mut certificate_authority =
-            CertificateAuthority::new_rsa().context(CreateCertificateAuthoritySnafu)?;
-
-        let leaf_certificate = certificate_authority
-            .generate_rsa_leaf_certificate("Leaf", "webhook", Duration::from_secs(3600))
-            .context(GenerateLeafCertificateSnafu)?;
-
-        let certificate_der = leaf_certificate
-            .certificate_der()
-            .context(EncodeCertificateDerSnafu)?;
-
-        let private_key_der = leaf_certificate
-            .private_key_der()
-            .context(EncodePrivateKeyDerSnafu)?;
-
-        let tls_provider = default_provider();
-        let mut config = ServerConfig::builder_with_provider(tls_provider.into())
-            .with_protocol_versions(&[&TLS12, &TLS13])
-            .context(SetSafeTlsProtocolVersionsSnafu)?
-            .with_no_client_auth()
-            .with_single_cert(vec![certificate_der], private_key_der)
-            .context(InvalidTlsPrivateKeySnafu)?;
-
-        config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
-        let config = Arc::new(config);
-
-        Ok(Self {
-            socket_addr,
-            config,
-            router,
+        // NOTE(@NickLarsenNZ): This code is not async, and does take some
+        // non-negligable amount of time to complete (moreso in debug ).
+        // We run this in a thread reserved for blocking code so that the Tokio
+        // executor is able to make progress on other futures instead of being
+        // blocked.
+        // See https://docs.rs/tokio/latest/tokio/task/fn.spawn_blocking.html
+        let task = tokio::task::spawn_blocking(move || {
+            let mut certificate_authority =
+                CertificateAuthority::new_rsa().context(CreateCertificateAuthoritySnafu)?;
+
+            let leaf_certificate = certificate_authority
+                .generate_rsa_leaf_certificate("Leaf", "webhook", Duration::from_secs(3600))
+                .context(GenerateLeafCertificateSnafu)?;
+
+            let certificate_der = leaf_certificate
+                .certificate_der()
+                .context(EncodeCertificateDerSnafu)?;
+
+            let private_key_der = leaf_certificate
+                .private_key_der()
+                .context(EncodePrivateKeyDerSnafu)?;
+
+            let tls_provider = default_provider();
+            let mut config = ServerConfig::builder_with_provider(tls_provider.into())
+                .with_protocol_versions(&[&TLS12, &TLS13])
+                .context(SetSafeTlsProtocolVersionsSnafu)?
+                .with_no_client_auth()
+                .with_single_cert(vec![certificate_der], private_key_der)
+                .context(InvalidTlsPrivateKeySnafu)?;
+
+            config.alpn_protocols = vec![b"h2".to_vec(), b"http/1.1".to_vec()];
+            let config = Arc::new(config);
+
+            Ok(Self {
+                socket_addr,
+                config,
+                router,
+            })
         })
+        .await
+        .context(TokioSpawnBlockingSnafu)??;
+
+        Ok(task)
     }
 
     /// Runs the TLS server by listening for incoming TCP connections on the
