Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure the invoker with ssl. #3968

Merged
merged 3 commits into from
Sep 17, 2018
Merged

Secure the invoker with ssl. #3968

merged 3 commits into from
Sep 17, 2018

Conversation

cbickel
Copy link
Contributor

@cbickel cbickel commented Aug 15, 2018
edited
Loading

Description

This PR adds SSL to the invoker to secure the ping-endpoint. In addition it tidies up some controller-ssl-settings.

Related issue and scope

  • I opened an issue to propose and discuss this change (#????)

My changes affect the following components

  • API
  • Controller
  • Message Bus (e.g., Kafka)
  • Loadbalancer
  • Invoker
  • Intrinsic actions (e.g., sequences, conductors)
  • Data stores (e.g., CouchDB)
  • Tests
  • Deployment
  • CLI
  • General tooling
  • Documentation

Types of changes

  • Bug fix (generally a non-breaking change which closes an issue).
  • Enhancement or new feature (adds new functionality).
  • Breaking change (a bug fix or enhancement which changes existing behavior).

Checklist:

  • I signed an Apache CLA.
  • I reviewed the style guides and followed the recommendations (Travis CI will check :).
  • I added tests to cover my changes.
  • My changes require further changes to the documentation.
  • I updated the documentation where necessary.

@cbickel cbickel requested a review from vvraskin August 15, 2018 06:55
@codecov-io
Copy link

codecov-io commented Aug 15, 2018
edited
Loading

Codecov Report

Merging #3968 into master will decrease coverage by 4.58%.
The diff coverage is 93.33%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3968      +/-   ##
==========================================
- Coverage   85.84%   81.25%   -4.59%     
==========================================
  Files         147      147              
  Lines        7114     7113       -1     
  Branches      419      431      +12     
==========================================
- Hits         6107     5780     -327     
- Misses       1007     1333     +326
Impacted Files Coverage Δ
.../main/scala/whisk/core/controller/Controller.scala 82.97% <100%> (+0.87%) ⬆️
...rc/main/scala/whisk/core/controller/Triggers.scala 94.28% <100%> (+0.04%) ⬆️
...er/src/main/scala/whisk/core/invoker/Invoker.scala 68.96% <100%> (+1.1%) ⬆️
...a/src/main/scala/whisk/http/BasicHttpService.scala 93.22% <100%> (-0.23%) ⬇️
...mmon/scala/src/main/scala/whisk/common/Https.scala 77.77% <83.33%> (-16.96%) ⬇️
...core/database/cosmosdb/RxObservableImplicits.scala 0% <0%> (-100%) ⬇️
...core/database/cosmosdb/CosmosDBArtifactStore.scala 0% <0%> (-95.1%) ⬇️
...sk/core/database/cosmosdb/CosmosDBViewMapper.scala 0% <0%> (-92.6%) ⬇️
...whisk/core/database/cosmosdb/CosmosDBSupport.scala 0% <0%> (-81.82%) ⬇️
...abase/cosmosdb/CosmosDBArtifactStoreProvider.scala 0% <0%> (-58.83%) ⬇️
... and 3 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 09c5305...7b45cdc. Read the comment docs.

@cbickel cbickel added the review Review for this PR has been requested and yet needs to be done. label Aug 16, 2018
@cbickel
Copy link
Contributor Author

cbickel commented Aug 20, 2018

PG2#3514 🔵

vvraskin
vvraskin reviewed Aug 21, 2018
View reviewed changes
Copy link
Contributor

@vvraskin vvraskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for cleaning up the previous https configuration, neatly done. Just some minor comments

ansible/group_vars/all Outdated
storeFlavor: PKCS12
clientAuth: "{{ controller_client_auth | default('true') }}"
cert: "controller-openwhisk-server-cert.pem"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use this var __controller_ssl_keyPrefix for both cert and key variables?

ansible/group_vars/all Outdated
keyPrefix: "{{ __invoker_ssl_keyPrefix }}"
storeFlavor: "PKCS12"
clientAuth: "{{ invoker_client_auth | default('true') }}"
cert: "invoker-openwhisk-server-cert.pem"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the same as above, __invoker_ssl_keyPrefix

common/scala/src/main/scala/whisk/common/Https.scala Outdated
val trustManagerFactory: TrustManagerFactory = TrustManagerFactory.getInstance(keyFactoryType)
trustManagerFactory.init(ts)
trustManagerFactory.init(keyStore)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in person, should we add a comment saying that we use keystore as a truststore here or leave truststore configurable from the outside?

common/scala/src/main/scala/whisk/http/BasicHttpService.scala Outdated
@@ -165,7 +165,7 @@ object BasicHttpService {
/**
* Starts an HTTPS route handler on given port and registers a shutdown hook.
*/
def startHttpsService(route: Route, port: Int, config: WhiskConfig)(implicit actorSystem: ActorSystem,
def startHttpsService(route: Route, port: Int, config: HttpsConfig)(implicit actorSystem: ActorSystem,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This method is pretty similar to startHttpService, should we perhaps merge them to something like:

  def startHttpService(route: Route, port: Int, config: Option[HttpsConfig] = None)(
    implicit actorSystem: ActorSystem,
    materializer: ActorMaterializer): Unit = {

    implicit val executionContext = actorSystem.dispatcher
    val context = config.map(c => Https.connectionContext(c)).getOrElse(Http().defaultServerHttpContext)
    Http().bindAndHandle(route, "0.0.0.0", port, connectionContext = context)
  }

vvraskin
vvraskin approved these changes Sep 12, 2018
View reviewed changes
Copy link
Contributor

@vvraskin vvraskin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@vvraskin vvraskin merged commit 068bb26 into apache:master Sep 17, 2018
@cbickel cbickel deleted the ssl branch September 17, 2018 11:32
@dgrove-oss dgrove-oss mentioned this pull request Sep 17, 2018
Merged
BillZong pushed a commit to BillZong/openwhisk that referenced this pull request Nov 18, 2019
@cbickel @vvraskin
Secure the invoker with ssl. (apache#3968)
7a3dffc 
* Secure the invoker with ssl.

* Tidy up controller ssl.

* Review.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vvraskin vvraskin vvraskin approved these changes

Assignees

@vvraskin vvraskin

Labels
review Review for this PR has been requested and yet needs to be done.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cbickel @codecov-io @vvraskin