-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SWATCH-2007: Enable Spring actuator custom certificate information provider #2860
Conversation
52fb768
to
987107c
Compare
Note that I've also tried to provide the certificates using the following clowder config: {
"endpoints": [
{
"app": "swatch-contracts",
"hostname": "swatch-contracts.hostname",
"name": "service",
"port": 8000,
"tlsPort": 8001
}
],
"metricsPath": "/metrics",
"metricsPort": 9000,
"privatePort": 8080,
"publicPort": 8000,
"webPort": 8000,
"tlsCAPath": "/home/jcarvaja/sources/RedHatInsights/rhsm-subscriptions/swatch-core/src/test/resources/ca-test.pem"
} And running the app as:
And the cert for the contracts endpoint is correctly displayed:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When hitting the /info
endpoint, I see some awkward values like:
"productServiceProperties.keystore": {
" not readable": {}
},
This is happening when the certificate path is empty (not provided), so more descriptive message would be either:
"productServiceProperties.keystore": {},
Or being more descriptive like:
"productServiceProperties.keystore": {
"certificate not configured / not set / or something like this": {}
},
I prefer the first option which is less verbose.
swatch-core/src/main/java/org/candlepin/subscriptions/actuator/CertInfoContributor.java
Outdated
Show resolved
Hide resolved
987107c
to
82c0e0f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm now!
I think these changes are quite useful. Is there a JIRA ticket to implement this /info
endpoint for the Quarkus-based services? @kahowell @lindseyburnett
@Sgitario no, we don't currently have a Jira issue for this, feel free to create one and get it groomed, etc. |
/retest |
This move allows the CertInfoContributor to be used by the main application as well as swatch-system-conduit.
82c0e0f
to
e23dfa2
Compare
Jira issue: SWATCH-2007
Description
This issue is additional work associated with the annual X509 certificate renewal we do. Before revoking the old certificates, I need to ensure the new ones are in use. Last February, I wrote a Spring Actuator endpoint to display the certificate information, but the endpoint was configured incorrectly. Specifically, the endpoint worked fine over JMX but was misconfigured for HTTP. Since JMX is no longer available, this PR fixes the misconfiguration. Additionally, this PR moves the certificate information underneath the
info
actuator (which is already enabled) since there isn't much point in having a custom actuator for an informational thing like this.Testing
Steps
subscriptionServiceProperties
(both.keystore
and.truststore
). The otherTlsProperties
beans are either completely empty or have error messages indicating that the certificate path can't be read (e.g.${clowder.endpoints.rbac-service.trust-store-path} not readable
rhsmApiProperties.*
.