I agree with @mitchell852 , automating snapshots is highly dangerous at the moment. Even the diff doesn't necessarily catch everything, and even if it did, there's a race between diffing and snapshotting. DS Snapshots mitigates the issue, but doesn't solve it entirely.
The right solution is to implement If-Unmodified-Since/If-Match on the /snapshot/new and /snapshot endpoints. Then the automated tool can get the snapshot/new, verify it's identical to the existing snapshot, do its change, and POST /snapshot with a 'If-Unmodified-Since'. This is something we've needed for a long time, for a lot of automated Ops tools, not just this. I don't think it's difficult to implement. I have ETag/IMS code lying around in a number of PRs, and making the endpoints support it should be pretty simple, all we have to do is query the affected tables to get the latest last_updated. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-Match https://github.com/apache/trafficcontrol/pull/3175/commits/86e8d2b06209e0846b4d6fcfcb19f3695662dc4c On Tue, May 7, 2019 at 3:11 PM Jeremy Mitchell <mitchell...@gmail.com> wrote: > automatically calling a cdn snapshot sounds problematic, however, rob did > some work around delivery service level snapshots but it is not complete. > maybe delivery service level snapshots could be automatic?? not sure. > something to potentially explore. > > jeremy > > On Tue, May 7, 2019 at 2:28 PM Matthew Jackson <mjack...@alumni.nd.edu> > wrote: > > > Hey all, > > > > I'm working to add integration with LetsEncrypt to get signed certs > > automatically for delivery services. In order to prove that I own the > > domain, LetsEncrypt does a DNS challenge and requires that a token from > > them is put as a TXT record at "_acme-challenge.domain.com". They > verify > > that the token is there before returning the certs. > > > > I'm using Traffic Router to do this "DNS" authentication, but this will > > require a Snapshot to be taken in order to update TR. LetsEncrypt > doesn't > > really allow for a break between the request and the challenge, so this > > would all have to be done in a row. One option for this would be to add > > the TXT record through the "Static DNS Entries" endpoint, automatically > > call the Snapshot, and verify the server was updated before returning to > > LetsEncrypt. But I wanted to reach out to get everyone's thoughts / > other > > ideas before proceeding. > > > > Any thoughts or ideas? > > > > Thanks > > Matt > > >
