-
Notifications
You must be signed in to change notification settings - Fork 900
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Verify container TLS, support custom CA #14019
Conversation
9545bf8
to
67ded83
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should not require a migration.
I tried to test these in container_manager_spec.rb Thanks for the 2 pointers, I'll dig into those. [kicking Travis — failure unrelated, got fixed yesterday UPDATE: now another unrelated MiqReport failure] |
@blomquisg maybe this needs release notes or other docs? |
Right, that's honestly the only way I can think to handle this. I think @cben is right in saying that if we don't include a migration, it errs on the side of being more secure, or breaking providers that were intended to be less secure. Then, if a user wants to continue in a less secure configuration, they will have to go out of their way to enforce that configuration. |
@@ -10,8 +10,12 @@ def hawkular_client | |||
@hawkular_entrypoint, @hawkular_credentials, @hawkular_options) | |||
end | |||
|
|||
# may be nil | |||
def hawkular_endpoint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cben it seems that having two similar methods as hawkular_endpoint
and hawkular_entrypoint
is confusing. Any way to improve this part?
@@ -36,7 +36,7 @@ def openshift_connect(hostname, port, options) | |||
Kubeclient::Client.new( | |||
raw_api_endpoint(hostname, port, '/oapi'), | |||
options[:version] || api_version, | |||
:ssl_options => { :verify_ssl => verify_ssl_mode }, | |||
:ssl_options => options[:ssl_options], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TODO: if not given this passes nil, which crashes kubeclient (it assumes @ssl_options
is always a hash, the default hash is only used if :ssl_options it not passed at all to constructor).
This only affects calls get_hostname_from_routes
, and will be masked by the UI PR which starts passing :ssl_options from get_hostname_from_routes
, but I should fix this.
[same in kubernetes_connect
]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed.
67ded83
to
2257eb7
Compare
Upcoming UI will consistently set endpoint (security_protocol, verify_ssl, certificate_authority). Existing providers, both via UI and API had no security_protocol, defaulted to verify_ssl == 1 but did not enforce it. - If they had a globally-trusted cert, they'll silently become secure; - If they had self-signed cert, their auth will become "Unreachable" until users Edit the provider to configure custom CA to trust.
To reduce confusion with hawkular_endpoint (which returns an Endpoint).
2257eb7
to
cc9d396
Compare
Checked commits cben/manageiq@7fb273d~...cc9d396 with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
@blomquisg This PR is ready. I believe oVirt #14004 is ready too. Addressed comments, added one test, verified behavior with a pre-darga provider defaults to secure [https://gist.github.com/cben/684d5e36e068278b29de0309e669ff0e]. Still chasing an edge case in the UI PR ManageIQ/manageiq-ui-classic#450 — if your provider had no hawkular endpoint (kubernetes, openshifts created before darga(?)) — it's hard or impossible to edit the provider without adding a hawkular endpoint. It could make sense to merge things as is and I'll follow up with another UI PR (strictly better than merging core without UI; the alternative is blocking all 3). |
I've opened a docs issue discussing this situation so that we can craft appropriate documentation for users impacted by this change: ManageIQ/manageiq-documentation#244 |
Support verifying kubernetes/openshift TLS certificates, including self-signed certificates.
The UI PR ManageIQ/manageiq-ui-classic#450 will consistently set endpoint (security_protocol, verify_ssl, certificate_authority) for containers, with 3 modes:
ssl-with-validation
, 1, nil)ssl-with-validation-custom-ca
, 1, certificate_authority text)ssl-without-validation
, 0, nil)[Some providers use just
ssl
but with inconsistent meanings, I opted for long but unambiguous.]REST API passing these options already possible on master.
Compatibility:
Existing providers, both via UI and API had no security_protocol, defaulted to verify_ssl == 1 but did not enforce it.
If they have a globally-trusted cert, they'll silently become secure;
If they have self-signed cert, their auth will become "Error" until users Edit the provider to configure custom CA to trust (or disable validation):
![status-error](https://cloud.githubusercontent.com/assets/273688/23214791/accb2ac2-f918-11e6-81f9-6627d026d3d6.png)
Is this OK or too aggressive?
Verified behavior without hawkular endpoint (kubernetes, openshifts created before darga(?)). Defaults to secure as expected.
Verified that various connections still work:
[]
but connection worked no errors)Links
and MiqContainerGroup, WebDAV: take net/http options hash manageiq-gems-pending#51 [merged] for passing https options to container MiqFS.
@miq-bot add-label providers/containers, security, bug, enhancement
@Fryguy @blomquisg @moolitayer please review. cc @jhernand @simon3z