Verify container TLS, support custom CA

[cben]

Support verifying kubernetes/openshift TLS certificates, including self-signed certificates.

The UI PR ManageIQ/manageiq-ui-classic#450 will consistently set endpoint (security_protocol, verify_ssl, certificate_authority) for containers, with 3 modes:

• (ssl-with-validation, 1, nil)
• (ssl-with-validation-custom-ca, 1, certificate_authority text)
• (ssl-without-validation, 0, nil)
  [Some providers use just ssl but with inconsistent meanings, I opted for long but unambiguous.]

REST API passing these options already possible on master.

Compatibility:

Existing providers, both via UI and API had no security_protocol, defaulted to verify_ssl == 1 but did not enforce it.

• If they have a globally-trusted cert, they'll silently become secure;

• If they have self-signed cert, their auth will become "Error" until users Edit the provider to configure custom CA to trust (or disable validation):
  
  Is this OK or too aggressive?

• Verified behavior without hawkular endpoint (kubernetes, openshifts created before darga(?)). Defaults to secure as expected.

Verified that various connections still work:

• Refresh.
• Metrics (Hawkular endpoint).
• Event watcher.
• SSA scanning.
  • Only 70% sure MiqFS part worked, want to re-check.
• fetch_hawk_inv (tested without real data, returned [] but connection worked no errors)

Links

• Container & oVirt combined UI changes: TLS verification & custom CA UI for oVirt and Container providers manageiq-ui-classic#450
• Similar oVirt backend change: Verify oVirt TLS certificates #14004
• Similar Hawkular changes: backed Be able to use tls when connecting to Hawkular #14054, UI Hawkular/add ssl support manageiq-ui-classic#460
• This builds on Per-endpoint configurable certificate_authority #13567 [merged] for storing the certificate_authority field,
  and MiqContainerGroup, WebDAV: take net/http options hash manageiq-gems-pending#51 [merged] for passing https options to container MiqFS.

@miq-bot add-label providers/containers, security, bug, enhancement

@Fryguy @blomquisg @moolitayer please review. cc @jhernand @simon3z

[durandom]

LGTM 👍

@cben will it require a data migration?
I remember these two issues making a provider defunct after upgrade

#10758
#10736

[cben]

It should not require a migration.

• I'm assuming we're OK with defaulting to secure existing providers, breaking some until edited by user?
  (If we wanted to grandfather existing insecurity, that may need a migration — existing providers have verify_ssl == 1 in DB.)
• I'm relying on existing containers providers not having security_protocol set and future UI-created ones having it.
  • API users might continue creating providers without setting security_protocol; this should work, respecting verify_ssl if set, defaulting to secure if not.

I tried to test these in container_manager_spec.rb

Thanks for the 2 pointers, I'll dig into those.
One thing I didn't yet but should try is going back before containers had multiple endpoints (pre-darga I think), creating a provider, migrating forward, and seeing what endpoints I get and how this code deals.

[kicking Travis — failure unrelated, got fixed yesterday UPDATE: now another unrelated MiqReport failure]

[durandom]

I'm assuming we're OK with defaulting to secure existing providers, breaking some until edited by user?

@blomquisg maybe this needs release notes or other docs?

[blomquisg]

maybe this needs release notes or other docs?

Right, that's honestly the only way I can think to handle this. I think @cben is right in saying that if we don't include a migration, it errs on the side of being more secure, or breaking providers that were intended to be less secure. Then, if a user wants to continue in a less secure configuration, they will have to go out of their way to enforce that configuration.

[simon3z]

@cben it seems that having two similar methods as hawkular_endpoint and hawkular_entrypoint is confusing. Any way to improve this part?

[cben]

TODO: if not given this passes nil, which crashes kubeclient (it assumes @ssl_options is always a hash, the default hash is only used if :ssl_options it not passed at all to constructor).
This only affects calls get_hostname_from_routes, and will be masked by the UI PR which starts passing :ssl_options from get_hostname_from_routes, but I should fix this.

[same in kubernetes_connect]

[cben]

Fixed.

[miq-bot]

Checked commits cben/manageiq@7fb273d~...cc9d396 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
6 files checked, 0 offenses detected
Everything looks good. 👍

[cben]

@blomquisg This PR is ready. I believe oVirt #14004 is ready too.

Addressed comments, added one test, verified behavior with a pre-darga provider defaults to secure [https://gist.github.com/cben/684d5e36e068278b29de0309e669ff0e].

Still chasing an edge case in the UI PR ManageIQ/manageiq-ui-classic#450 — if your provider had no hawkular endpoint (kubernetes, openshifts created before darga(?)) — it's hard or impossible to edit the provider without adding a hawkular endpoint.

It could make sense to merge things as is and I'll follow up with another UI PR (strictly better than merging core without UI; the alternative is blocking all 3).

[blomquisg]

I've opened a docs issue discussing this situation so that we can craft appropriate documentation for users impacted by this change: ManageIQ/manageiq-documentation#244