Skip to content
This repository was archived by the owner on Nov 24, 2025. It is now read-only.

Adding Client Auth Configs to Infra Ansible #7781

Merged
zrhoffman merged 1 commit into from
Sep 6, 2023
Merged

Adding Client Auth Configs to Infra Ansible #7781

zrhoffman merged 1 commit into from
Sep 6, 2023

Conversation

@dsouza93
Copy link

@dsouza93 dsouza93 commented Sep 6, 2023

Adding variables to configure client certificate authentication in the ansible infrastructure's cdn.conf file.

Defaulted the values to disable client certificate authentication.

Which Traffic Control components are affected by this PR?

  • Automation - Lab Ansible Infrastructure

What is the best way to verify this PR?

Build an environment setting the following two variables

  • to_client_cert_root_directory = path to root cert file
  • to_go_client_auth_enabled = 1

You should see the config values set in cdn.conf.

If this is a bugfix, which Traffic Control versions contained the bug?

Not a bug fix

PR submission checklist

  • This PR has tests - This PR is an improvement to automated infra that is involved in testing.
  • [] This PR has documentation - I'm enabling already implemented and documented features.
  • [] This PR has a CHANGELOG.md entry
  • This PR DOES NOT FIX A SERIOUS SECURITY VULNERABILITY (see the Apache Software Foundation's security guidelines for details)

@ericholguin ericholguin added new feature A new feature, capability or behavior low impact affects only a small portion of a CDN, and cannot itself break one automation related to automated testing/deployment/packaging etc. authentication Relating to login, registration, passwords, tokens, etc. configuration related to configuration - not limited to any one component labels Sep 6, 2023
@ragen14
Copy link
Contributor

ragen14 commented Sep 6, 2023

LGTM

zrhoffman
zrhoffman suggested changes Sep 6, 2023
View reviewed changes
infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
Comment on lines +71 to +73
"tls_config": {
"ClientAuth": "{{ to_go_client_auth_enabled }}"
},
Copy link
Member

@zrhoffman zrhoffman Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also needs

        "MinVersion": 769,

Copy link
Author

@dsouza93 dsouza93 Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there no default in TO that I am leaving this up to?

What does the tls_config get set to without this block as it was before?

Copy link
Member

@zrhoffman zrhoffman Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there no default in TO that I am leaving this up to?

Not currently, no

What does the tls_config get set to without this block as it was before?

Whatever the TLS config is, empty or no, is used as the server's TLS config. The defaults are internal Go HTTP server logic

trafficcontrol/traffic_ops/traffic_ops_golang/traffic_ops_golang.go

Lines 191 to 193 in 708a95c

httpServer := &http.Server{
Addr: ":" + cfg.Port,
TLSConfig: cfg.TLSConfig,

infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2 Outdated
"environment": "{{ to_le_environment }}"
},
"client_certificate_authentication" : {
"root_certificates_directory" : "{{ to_client_cert_root_directory }}"
Copy link
Member

@zrhoffman zrhoffman Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What creates to_client_cert_root_directory? How do we know it exists?

Copy link
Author

@dsouza93 dsouza93 Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might not exist - for our purposes I handled it in ansible-pull. It already exists on all of our nightly boxes. I will handle this the same way when going to production.

Copy link
Author

@dsouza93 dsouza93 Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a conditional block to leave this out if the client-cert authentication is disabled.

Adding Client Auth Configs to Infra Ansible
708a95c 
Adding variables to configure client certificate authentication in
the ansible infrastructure's cdn.conf file.

Defaulted the values to disable client certificate authentication.
@dsouza93 dsouza93 force-pushed the ansible_to_root_cert branch from d3d010b to 708a95c Compare September 6, 2023 17:20
zrhoffman
zrhoffman approved these changes Sep 6, 2023
View reviewed changes
Copy link
Member

@zrhoffman zrhoffman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems fine. It's untested, but it's also a relatively small change. I trust that you'll open a follow-up PR if this breaks anything.

infrastructure/ansible/roles/traffic_ops/templates/cdn.conf.j2
Comment on lines +71 to +73
"tls_config": {
"ClientAuth": "{{ to_go_client_auth_enabled }}"
},
Copy link
Member

@zrhoffman zrhoffman Sep 6, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there no default in TO that I am leaving this up to?

Not currently, no

What does the tls_config get set to without this block as it was before?

Whatever the TLS config is, empty or no, is used as the server's TLS config. The defaults are internal Go HTTP server logic

trafficcontrol/traffic_ops/traffic_ops_golang/traffic_ops_golang.go

Lines 191 to 193 in 708a95c

httpServer := &http.Server{
Addr: ":" + cfg.Port,
TLSConfig: cfg.TLSConfig,

@zrhoffman zrhoffman merged commit 352337d into apache:master Sep 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@zrhoffman zrhoffman zrhoffman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

authentication Relating to login, registration, passwords, tokens, etc. automation related to automated testing/deployment/packaging etc. configuration related to configuration - not limited to any one component low impact affects only a small portion of a CDN, and cannot itself break one new feature A new feature, capability or behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@dsouza93 @ragen14 @zrhoffman @ericholguin